Data Protection and Privacy: A Child's Rights

Updated: Jul 24, 2020

There is no denying the relevance of data protection and privacy in the world today. It is a field that is receiving unprecedented international attention. Data protection entails the process of safeguarding individual information from corruption, compromise, or loss. It is the fair and proper use of information about people.

The Internet, as used in the world today, presents children with undeniable opportunities such as access to information, entertainment, and other social activities. With continuous technological advancement, privacy and data protection rights of children are faced with new and complex risks. The fact that children's personal data can be collected from the moment they are born raises serious questions. Importance needs to be placed on the protection of the personal data of children as they are less likely to be aware of or familiar with the risks and consequences regarding the processing of their personal data. As it is, these issues are complex enough for a typical adult.

Personal Information of a Child

Children have personal information that is unique to them. According to Section 6501(8) of the United States Child Online Privacy Protection Act (COPPA), personal information means individually identifiable information about an individual collected online, including: a first and last name; a home or other physical address; an e-mail address; a telephone number; information concerning the child or the parents of that child, among others. Similarly, Article 1.3(xix) of Nigeria's Data Protection Regulation, 2019 defines personal data as any information relating to an identified or identifiable natural person that is capable of identifying them directly or indirectly.

Data Protection and Privacy Risks to Children

Children are pioneers in exploring and experimenting with new digital technologies and services and more often than not, they experience newly emerging risks before adults know about their existence or can put mitigating strategies in place (Stoilova, 2019). It can be challenging to ensure a child's privacy, as they may not understand what information is safe to share online. For instance, the use of social media by children could leave them vulnerable due to their personal information becoming available online. Children quickly become targets of online attacks, information theft, cyberbullying, monitoring technologies, corporate data collection, digital kidnapping, identity theft, profiling, among other things (Oloyede, 2018).

With the coronavirus pandemic currently plaguing the world, children are even more at risk as many educational institutions have turned to online platforms for schooling (Bailey, 2020). The collection of children's data by these platforms without adequate protection and privacy mechanisms could lead to several unique concerns. Possible byproducts of the data practices of educational technology companies include corporate tracking of student activities both inside and outside of the classroom, loss of autonomy due to ongoing monitoring of their activities and sale of student data to third parties often for purposes of advertising to them. There is also the concern around discrimination against young people from marginalised communities like refugees and those from poor households due to a wide digital divide, lack of access to internet, smart devices, and reduced economic power.

Protecting Children's Privacy Online

Various legal frameworks have been established over the years that provide for a child's right to data protection and privacy. Some of these frameworks equally set out the conditions for the processing of their personal data.

The United Nations Convention on the Rights of the Child (CRC) emphasizes that children have specific rights to privacy. It states that no child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation and that the child has the right to the protection of the law against such interference or attacks. This right is equally stated under Article 10 of the African Charter on the Rights and Welfare of the Child.

In the European Union (EU), Article 8 of the General Data Protection Regulation (GDPR) contains specific requirements regarding consent for the processing of personal data of children. According to Article 8, the general rule requires parental or guardian consent for all children under 16 years old in situations where information society services are offered directly to them (Malkaite, 2020). Additionally, the controller is required to ensure that parental or guardian consent had been given.

In support of this, Recital 38 of the GDPR states that such specific protection should, in particular, apply to the use of personal data of children for marketing or creating personality or user-profiles and the collection of personal data concerning children when using services offered directly to a child. Still, the consent of the holder of parental responsibility should not be necessary for the context of preventive or counselling services offered directly to a child.

Similarly, under the COPPA, organisations are mandated to seek verifiable consent from the parent or guardian before processing the data of children on their platform. Organisations processing the personal data of children are expected to have easy-to-comprehend privacy notices on their websites describing their privacy practices and ensure the confidentiality and integrity of such processing.

Legal Framework for Protection of Children in Nigeria

The Child Rights Act 2003 reinforces the constitutional right of a child to privacy under Section 8, which guarantees the Nigerian child's right to privacy, family life, home, correspondence, telephone conversation, and telegraphic communications. This right to privacy also extends to the child justice administration procedure under Section 205 of the Act.

Under the NDPR, Article 3.1(1) mandates that the language used in a privacy notice must be comprehensible when the processing relates to a child. Also, when relying on consent as a legal basis to process the data of a child, such consent will not be valid if it will engender the direct or indirect propagation of child rights violations. However, beyond these two provisions, the NDPR does not have any other special provisions for children.

The NDPR offers little clarity as to the actual implementation and impact of several provisions that may significantly affect children and their rights, leading to legal uncertainty for data controllers, parents and children. This uncertainty relates, for instance, to the age of consent for processing children's data, the technical requirements regarding parental consent in that regard, the interpretation of the extent to which profiling of children is allowed and the level of transparency that is required, vis-à-vis children.

The Cybercrimes (Prevention, Prohibition, Etc.) Act, 2015 also criminalises several offences that could affect children's presence online. Cyberbullying, distribution and production of child pornography, cyberstalking, racial and xenophobic crimes impacting children are punishable under the Act.


There is a need to either review the NDPR to sufficiently provide protection for children or to enact a Data Protection Act that will recognise these rights and create better safeguards for children. Stoilova (2019) believes that beyond the minimal legal protection offered in the existing laws, there should be educational measures for parents, guardians, teachers and organisations to ensure the safeguarding of children's data and privacy. Organisations processing the personal data of children should also consider adopting privacy-by-design and by-default as well as the provision of child-friendly age-appropriate mechanisms for privacy protection, and a sufficient complaint and remedy mechanism.


There should be joint action by all stakeholders aimed at protecting children from digital privacy risks. The digital age is here to stay and with increasing technological advancements, legislation alone is insufficient. Sensitisation and awareness are equally crucial to data protection and privacy rights of children.


Bailey, J., Burkell, J., Regan, P. and Steeves, V. (2020). "Children's Privacy is at Risk with Rapid Shifts to Online Schooling under Coronavirus." Available at: