top of page

Key findings for Children's Rights to Data Privacy in the Digital Era

The privacy of individuals first became a global issue following events like the Cambridge Analytica scandal and whistleblower Edward Snowden's revelations. Concerns continue to intensify with reports of data breaches, corporate and institutional covert data collection practices, and unethical handling of personal data by companies, institutions, and governments as highlighted in the media.

Privacy advocates and researchers have expressed concerns about the normalization of surveillance by governments, institutions, and companies. They argue that our personal data is utilized by these organizations in ways that shape our opportunities and choices, ultimately affecting our life outcomes. Data is increasingly gathered through various means, including biometrics, cameras, social media communications, web browsing, purchases, and smart devices. The rapid integration of smart technologies, storage capacities, algorithms, and data analytics has led to the extensive collection, aggregation, analysis, and use of personal data to create detailed personal dossiers, often without our knowledge or informed consent. It is evident that commercial data processing can generate inequalities by denying equal access to opportunities, offers, and information.

Regulatory advances such as the EU's General Data Protection Regulation (GDPR) in May 2018, the Children's Online Privacy Protection Act (COPPA), and the California Consumer Privacy Act in January 2020 have made progress in strengthening regulation to support improved privacy and the individual control of personal data. However, although privacy advocates are concerned, individuals often struggle to understand how their personal information and privacy are at risk in the digital environment. In addition to regulatory safeguards, raising awareness about the risks to our privacy when using online services is crucial, enabling individuals to actively participate in safeguarding their personal data.

Researchers have determined that vast amounts of data are collected from children, often without consent or security provisions, and without parental awareness (Livingstone and Yoo, 2018, January 18). An early study by SuperAwesome in December 2018 revealed that children under 13 encounter between 1 and 2 million trackers annually, collecting data points such as location and device identifiers. In 2018 this number was estimated to increase to around 12 million trackers per year for 12-year-olds as they spend more time online. Today, some 6 years on the number is likely far more. It is key to recognise that online advertisers more often fail to differentiate between adults and children and collect data regardless of the users age, and that parents are often unaware of how advertisers target children.

Children, as early adopters of technology, are frequently subject to corporate surveillance practices without their knowledge. Given their perceived status as ‘digital natives,’ it is important to question their understanding of the commercial models and practices that exploit data from their internet activities. This research aimed to understand how much parents and teenagers know about these issues, and to identify strategies, if any, that they employ to mitigate privacy risks with regard to institutional and corporate actors.

Interviews were conducted with parents and their teenagers in New Zealand to understand their perceptions and management of online privacy risks. We adopted a grounded approach in these interviews. While parents and teenagers often consider privacy in relation to their own information sharing on social media, they also have broader concerns about privacy risks related to data sharing with institutions and corporate surveillance. We were able to identify how they conceptualised privacy and privacy risk, and this allowed us to position their concerns and concepts in relation to their own data sharing, sharing data with institutions, and corporate surveillance. We were particularly interested in how parents thought about children's personal information in the digital context, and whether they saw corporate surveillance of their own and their children's data as problematic.

Key Insights

The 'Children's Rights to Data Privacy' project research uncovered unexpected challenges that have implications for policymakers, educators, parents, and teenagers.

  • Parents and teenagers had similar concepts of privacy and personal data, although they differed in the value they placed on these.

  • Both parents and teenagers primarily conceptualized privacy in interpersonal terms, viewing online privacy as a means of protecting personal information that could cause relationship conflicts, victimization, and reputational harm. They frequently discouraged children from sharing information that could lead to victimization (online and offline) by strangers and people from their communities. Teenagers echoed their parents' concerns about protecting information that could lead to them being identified offline, or becoming victims of identity theft and fraud. These issues, reinforced through media and education, remain top of mind.

  • Additionally, parents were also concerned about personal intimacies being a source of discrimination later in life. They worried that teenagers shared too much about their intimate lives online, and discouraged them from uploading content that might impact their future opportunities, such as when applying for a job. However, teenagers actively engaged with privacy settings to control who could access the information that they or others uploaded about them. They sought platforms that provided them the ability to control access.

  • These privacy concerns were largely based around information that parents and teenagers knowingly shared online. They had much less awareness of data that might be obtained through other means, such as data traces or inferred data commonly collected by companies and institutions.

  • Overall, parents and teenagers expected that when they shared information with institutions, it would be kept secure and confidential and thus remain out of the public domain. They did not expect that information other than what they volunteered, or that related to their transactions with these institutions, would be collected. They did not perceive institutional data practices as threatening to personal privacy since such data, although potentially sensitive information, was expected to remain secure, not be shared, and thus could not affect their personal relationships or status.

  • However, neither parents nor teenagers conceptualized privacy in relation to the corporate collection of personal data. They believed that data collected by corporations was largely utilitarian and benign, and therefore nonthreatening even if made public. Although aware of targeted advertising based on their web searches, they did not believe companies were interested in personal information beyond their consumer interests, and often viewed targeted advertising as convenient. Some parents believed that companies did not collect information about their children, others had not given it much thought.

  • While there was a general lack of awareness about what and how much data is collected, parents and teenagers regularly questioned how corporations having knowledge about them could harm them. They primarily conceptualized privacy in interpersonal terms, where personal information, in the wrong hands, could result in physical and mental harms, and discredit them online. They could not see how corporate data practices could be harmful, and least of all how this might impact their personal relationships with others.

  • When confronted with case studies about what apps can collect about them, parents and teenagers were concerned about location tracking and the potential for unwanted communication and physical contact by others. These responses confirmed that they valued spatial privacy, keeping their personal location and family space protected. While they were shocked at how much companies could glean about their daily activities, they were not necessarily motivated to take action to address corporate surveillance.

  • Both parents and teenagers did exercise privacy strategies in relation to their personal communications and data uploads online—data which they themselves shared online. However, they did not currently engage with data protection strategies aimed at preventing commercial organizations from tracking them online.


These key findings provide a critical assessment of the existing regulatory approaches, which rely on consumers, parents, and teenagers to assess and manage data protection for themselves. The findings suggest that as parents and teenagers do not perceive corporate surveillance to be harmful, they are unlikely to engage in strategies and decisions that limit or prevent corporate data mining of their personal information. There is an urgent need to call on businesses and policymakers to take a stronger approach to protecting children's data.

bottom of page