Digital by Default: Children’s Capacity to Understand and Manage Online Data and Privacy

How do children understand the privacy implications of the contemporary digital environment? This question is pressing as technologies transform children’s lives into data which is recorded, tracked, aggregated, analysed and monetized. This article takes a child-centred, qualitative approach to charting the nature and limits of children’s understanding of privacy in digital contexts. We conducted focus group interviews with 169 UK children aged 11–16 to explore their understanding of privacy in three distinct digital contexts—interpersonal, institutional and commercial. We find, first, that children primarily conceptualize privacy in relation to interpersonal contexts, conceiving of personal information as something they have agency and control over as regards deciding when and with whom to share it, even if they do not always exercise such control. This leads them to some misapprehensions about how personal data is collected, inferred and used by organizations, be these public institutions such as their schools or commercial businesses. Children’s expectation of agency in interpersonal contexts, and their tendency to trust familiar institutions such as their schools, make for a doubly problematic orientation towards data and privacy online in commercial contexts, leading to a mix of frustration, misapprehension and risk. We argue that, since the complexity of the digital environment challenges teachers’ capacity to address children’s knowledge gaps, businesses, educators, parents and the state must exercise a shared responsibility to create a legible, transparent and privacy-respecting digital environment in which children can exercise genuine choice and agency.

The more children’s lives become digital-by-default, the more the design and functioning of the digital environment matters, as do children’s understanding of and capacity to manage their data and privacy online. Children are involved, one way or another, in all interpersonal, institutional and commercial privacy contexts, each with its own distinctive logic and outcomes. Our child-centred qualitative study of children’s understanding of these contexts revealed that children primarily conceptualize privacy, including their own data online, in relation to interpersonal contexts. As expected, children are most familiar with the contexts where they play an active role in how their data is shared, rectified, used and removed. Significantly, they draw on this understanding to generalize about privacy and to guide their data protection tactics in other contexts. Some aspects of how privacy works in institutional contexts are also familiar, but here children rely on existing regulations and build relationships of trust to manage their privacy. This accords them a fairly passive role within an environment where they are heavily monitored and regulated (Steeves & Regan, 2014) and are accorded little knowledge or choice. Children’s expectation of agency, and their tendency to trust familiar institutions, make for a doubly problematic orientation towards data and privacy online in commercial contexts, leading to a mix of frustration, misapprehension and risk. Finally, children find the commercial domain perplexing and manage to grasp only some aspects of how it operates. Again, they have little choice but to adopt a fairly passive approach to privacy because of the choice architecture (Thaler, Sunstein, & Balz, 2013) of digital systems, which offers the user only superficial alternatives but no real ways to manage their privacy, while still benefiting from the services. This has important implications for digital literacy, media education and for child rights in a digital-by-default age (Lievens et al., 2018).