The field of the Internet of Things ("IoT") is developing and expanding at a dizzying speed. More and more of our devices are "smart" devices, connected to the internet, from our phones to our watches and even our fridges. According to research by the Gartner consultancy there are currently around 6 billion internet-connected devices in use worldwide and figure is set to grow to over 20 billion by 2020.
The increased use of this technology is seen across the board in the post-millennials, who have never known a world without it. This generation, most of whom are still children (in the privacy sense of the word, which we will explain further down), have been constantly exposed to IoT with (relatively) easy access from a very early age, to items such as parents' smartphones to interactive dolls. And this means that, indisputably, they are more tech savvy than any prior generation.
Processing personal data is an intrinsic part of how IoT products work. Whether or not these products are targeted at children, many of them are likely to be used by children and collect their data. It is therefore necessary for IoT data controllers to have an approach for how they will treat children's data and to be aware of the privacy rules regarding children, especially under the EU's General Data Protection Regulation ("GDPR") taking effect on 25 May 2018. This is particularly important if your product is likely to be used by children, whether or not it is targeted at them.
However, it isn't all bad news. With tech savvy kids, comes a world of IoT of business opportunities in processing children's' data and creating bespoke products for the children of the new millennium; opportunities which can be exploited if children's privacy rights are adequately upheld.
So what do you need to know?
1. "Being technologically of age" varies in each country:
The first step is to clearly identify which individuals are considered "children" under privacy law. For example, the default position under GDPR is that any person under 16 is a "child"; however, local requirements currently differ and can go down to as young as 13 years old. Outside the EEA, "being technologically of age" varies in each country.
2. What do you need to do if you want to collect children's data?
2.1 You are likely to need parental consent. If you process IoT data from children in multiple jurisdictions, you will have to think carefully about:
(a) how to implement appropriate parental consent mechanisms to IoT devices across the different jurisdictions; and
(b) how to market IoT devices targeted at children, without a harmonised system.
2.2 Always treat children's data as sensitive:
Where children's data is involved, companies should take extra care to implement adequate security measures to minimise and avoid risks of hacking and security breaches. With the internet providing further opportunities for paedophiles and bullies, companies will need to think carefully about how their IoT products can protect children and stop their information falling into the wrong hands.
2.3 Design IoT so that they are child friendly and allow children (and, where applicable, their parents) to exercise their rights.
3. What do you need to do if you do not want to collect children's data?
If your IoT is definitely not for children, do not take for granted that this is evident for the audience. Parents will hand over their smart phones; put fit bits on children and a long etcetera.
3.1 Clearly tell your audience that your IoT is not for children:
You may also want to find a way to restrict access to those aged 16 and above so that variations in child consent requirements don't apply.
3.2. Embrace the fact children may use your IoT and define an approach:
Let's face it; children are often better at navigating technology than their parents. There is a risk some children might find ways round access restrictions (or even parental consent mechanisms). If you have IoT which is likely to appeal to children, the first step is clearly to try to prevent circumnavigation of restrictions being possible but also make sure you have an approach on how you will deal with this circumstance if it does happen.
In conclusion, progressively more and more children have access to IoT. This opens a window of opportunity to companies who want to target a young audience and create products and services for this tech savvy and tech hungry group. It also expands the market of non-child targeted IoT, which never-the-less that are appealing to a young audience. A world of exciting prospects is out there. But with these incredible opportunities comes a greater level of privacy responsibility and awareness.