`I make up a silly name'

Children under 11 are often regarded as too young to comprehend the implications of online privacy. Perhaps as a result, little research has focused on younger kids’ risk recognition and coping. Such knowledge is, however, critical for designing efficient safeguarding mechanisms for this age group. Through 12 focus group studies with 29 children aged 6-10 from UK schools, we examined how children described privacy risks related to their use of tablet computers and what information was used by them to identify threats. We found that children could identify and articulate certain privacy risks well, such as information oversharing or revealing real identities online; however, they had less awareness with respect to other risks, such as online tracking or game promotions. Our findings offer promising directions for supporting children’s awareness of cyber risks and the ability to protect themselves online.

"Our results showed that children’s ability to fully recognise privacy risks has a direct impact on their ability to consistently describe and manage these risks: when they only vaguely recognised the risks, they would try to make sense out of them using their knowledge or experiences, but would not always take effective action. Expanding our understanding of children’s perceptions of risks thus advances the goal of facilitating a child’s ability to cope with risks from a young age, scaffolding this through a knowledge acquisition, rather than a restrictive approach. We hope that our findings will support both designers of new privacy tools for children, as well as those of educational material seeking to address gaps in their understanding of risks and data use online. Providing better privacy-by-design guidelines for protecting children is essential both to influence, and meet the aspirational goals of data protection (DP) initiatives being set forth around the globe. Although the GDPR in the EU protects the use of children’s data, the Children’s Online Privacy Protection Act (COPPA) in the US has yet to provide an explicit regulation of third-party tracking. This study has highlighted some potential avenues by which future tools might, through greater data literacy, lay the foundation for having children understand, and start to exercise, the rights such DP regulation grant them." (Zhao et al., 2019: 10-11)