In the context of the Brazilian Children's Day, several advertising campaigns aimed at children and teenagers take place in the month of October (children are individuals up to twelve years old and teenagers are those between twelve and eighteen years old, according to the Child and Teenager Brazilian Statute - ECA). Under the Brazilian Data Protection Law (LGPD), special measures must be taken when processing personal data of minors.
In this scenario, we listed some key points to keep in mind in situations involving children's and teenagers' data.
1. How to process minors’ personal data?
Children and teenagers are considered a vulnerable group by the Brazilian law and, therefore, the LGPD determines that any data processing activity involving these data subjects must always be conducted in their best interests.
According to a guideline published by Brazilian Data Protection Authority (ANPD), the processing of children's data is not restricted to the consent of their legal guardians, as such activity can be carried out under other legal grounds, provided that the children’s best interests are observed and prevail.
2. How should data subjects be informed about data processing?
One of the main data protection rules is the duty to inform data subjects on the processing of their personal data, which is also applicable when the data subjects are children. In addition to informing the child's parents or legal guardians, the LGPD determines that the minors themselves may have access to such information as well.
For this purpose, the law states that the information must be presented in a simple, clear, and accessible way, taking into account the data subject's physical, motor, perceptual, sensory, intellectual and mental characteristics. Moreover, when appropriate, it is recommended to use audiovisual resources to ensure this type of accessibility.
3. Proper development matters
When it comes to games, the LGPD prohibits controllers from conditioning children's participation in games, internet applications or other activities upon the collection of their personal data, unless they are strictly necessary.
Given the importance of this topic, the UK Information Commissioner's Office (ICO) highlights, in its Age Appropriate Design Code, some practical measures that can be adopted to ensure that the best interests of minors, including:
(i) all high privacy/protection options should be enabled by default;
(ii) geolocation and profiling options should be disabled by default;
(iii) information about the parental control applied must be shared in clear and accessible language with minors; and
(iv) simple and easy online tools for minors to exercise their rights must be adopted - although there are no legal requirements like these in Brazil, such measures promote compliance with the LGPD and are recommended.
4. On ANPD’s focus
To strengthen the protection of this group of data subjects, ANPD considers the processing of children's and teenagers’ data as one of the factors that classifies a processing activity as high risk and an infringement as serious, as explained below:
-
Besides other hypotheses, high risk processing is a processing activity that uses children’s and teenagers’ data and that, at the same time, is carried out on a large scale or is capable of significantly affecting the interests and fundamental rights of the data subjects, in accordance with the Regulation for the Enforcement of the LGPD for Small Processing Agents (Resolution CD/ANPD No. 02/2022); and
-
Besides other hypotheses, serious infringement is an infringement that involves children’s and teenagers’ data and that may significantly affect the interests and fundamental rights of data subjects, in situations where the processing activity may significantly prevent or limit the exercise of rights or the use of a service, as well as cause pecuniary damage or pain and suffering to data subjects, in accordance with the Regulation on the Imposition of Administrative Sanctions (Resolution CD/ANPD No. 04/2023).
The Cybersecurity & Data Privacy team at TozziniFreire Advogados is available to provide more information on this matter and recommend initiatives to mitigate risks involving the processing of minors' personal data.