Sally Yoon is an IPilogue Writer, IP Innovation Clinic Fellow, and a 2L JD Candidate at Osgoode Hall Law School.

As discussed in part one, Human Rights Watch (HRW) released a report in late May outlining the privacy risks school children face across the globe. After a short summary, the report immediately explores ways we can address the risks, through a comprehensive list of recommendations to governments, ministries and departments of education, education technology companies, advertising technology companies and other third-party companies that may receive data from EdTech Products.

Recommendations to the government, education technology companies, AdTech companies and other third-party companies receiving sensitive data all included urgent remedial action to address the children who have been exposed to the risk of misuse and exploitation – identify, remove, and prevent the further spread of children’s data. Governments were also specifically suggested to bear the responsibility of demanding AdTech companies delete all children’s data received from EdTech during the pandemic. Further recommendations also included law reform to adopt, update, strengthen, and hold accountable child data protection laws “to deliver a modern child data protection framework that protects the best interests of the child in complex online environments.”

Alarmingly, the report found that out of the 49 countries examined, 14 countries lacked any form of data protection whatsoever, while others merely referred to children or were outdated and did not address more modern technology. The OPC Guidelines for Obtaining Meaningful Consent do include a specific section on consent and children and the importance of adult supervision for data collection for children below the age of 13. However, Canada still falls behind in implementing modern privacy legislation that addresses child consent. For example, under the California Consumer Privacy Act, businesses cannot sell personal information of children who are less than 13 years of age, unless the child’s parent or guardian affirmatively authorizes the sale. Moreover, the European General Data Protection Regulation sets the age of consent at 16, requiring parental consent from those 15 years old or younger. Section 15 in Canada’s Bill C-11 mandates that “an organization must obtain an individual’s valid consent for the collection, use or disclosure of the individual’s personal information,” but does not specifically address a minimum age for consent.

Additionally, the report provided recommendations for ministries and departments of education. These recommendations included monitoring endorsed educational services and the companies providing those services, as well as creating written contracts regarding children's data protection between institutions and EdTech providers — not with the child. Moreover, EdTech companies are advised to write their privacy policies in “clear, child-friendly, and age-appropriate language” and provide separate legal terms for guardians and educators.

With all this said, we perhaps should not be too eager to place all the blame on governments and companies. In its final segment, “Failure to Protect”, the report highlighted testimonies from parents and educators. This showed how students, parents and educators alike were all operating in blind faith during the pandemic. The exceptional situation of the pandemic made everyone too willing to accept and comply with quickly-changing environments – children trusted their parents, parents trusted the teachers, and teachers trusted their schools and their governments.

The report's recommendations highlight a collective responsibility in ensuring the safety of our children online. We are all responsible to remedy past wrongs and prevent further risks to our children by addressing modern technology’s most glaring privacy issues.