New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GDPR: Implement Consent for Minors under the age of 16 #561
Comments
Age consent approval flows. Note: The Khan Academy sends an email with a CTA included that allows the parent or guardian to give explicit consent. @segdeha We will need to come up with specific language around this and for the CTA - including the email and link to the kbase article below for reference:
The FAQ links to a Zendesk kbase article: https://khanacademy.zendesk.com/hc/en-us/articles/202262974-How-are-child-accounts-different-than-regular-accounts. |
Kind of shocking how Facebook and Google treat this flow. In Facebook's case they just give a generic error message. In Google's case they say you must meet "certain age requirements". Why not list them on the page? Or point to a help article that walks the user through the requirements for their location if they vary the age limit by region? Weird to me that their flows are so broken. |
Proposal: Sign up form to incorporate age verification form fields Note: this form will supplant the updated sign up form containing opt-in/opt-out fields referenced in: #560 Form with age verification fields: Response when under 16 years old: Response when under 16 years old (variation bold): Response when under 16 years old (variation red): |
@segdeha "Kind of shocking how Facebook and Google treat this flow." I agree! With the new regulations they will probably need to step it up. |
Please revise these based on the feedback on #560 to match what we decided over there. Thank you! I think this all makes sense and I just want to say I'm in favor of rearranging the order of the form fields so the age selects are next to the email address field. As the user enters their age, they will be focused on that part of the page and so will be less likely to miss that the email field changes subtly if it's in close proximity. I'm a fan of the smallest change that does the job, so I'm not sure if we need the age notice to be red (which also makes it look like an error). This is a case where we should probably make an informed decision then do some guerrilla usability testing to see if there is a clear difference between the different options. What's your thinking about that? |
I spoke with Andrew this afternoon and let's put a hold on the Consent Module for Age until Friday. After examining the regulation and Twitter's Privacy Policy/Terms of Service, it looks like they are using a "Binding Contract" as a legal means to collect information, rather than a Consent Module. |
@segdeha yes to guerrilla testing, perhaps @jeremydean might have some students (< 16) and parents we can test the flow with? i'll ping him! i'm wondering if we can just ask the simple question: are you under 16 () yes () no. that way, it's super simple to complete sign up and we're not creating a barrier to entry for our users. the rationale behind asking explicitly for month/day/year was that every other site i looked at with the exception of adult sites ask for DOB, so assumed it was probably a legal pre-requisite. based on what @rallos mentioned, i'll put further updates on hold until we have further information. great that we're considering all our options now prior to implementing. |
I did some research on the "consent" vs. "contract performance" legal basis of processing personal data. Consent tends to be more burdensome because it has to be specific, unambiguous, and freely given, informed, and allows for withdrawal of consent, and it has to be tracked. Whereas "contract performance" tends to be straightforward because "by using the Service, you agree to form a binding contract with Hypothesis", this method also does provides the following advantage: "If you are processing on the basis of contract, the individual’s right to object and right not to be subject to a decision based solely on automated processing will not apply. However, the individual will have a right to data portability." I see that Facebook, Twitter, Reddit, Vox, etc use this method and their terms of service and privacy policies have all been updated recently April 2017-April 2018. Link to a reference I used to make the decision. Thus, let's go in the direction of "contract" rather than "consent" for Sign-Up and Use of Service. Make sure the copy says "I Agree to the Privacy Policy, Terms of Service, and Community Guidelines" (Create an Account) [There is no requirement for Opt-In for a contract like there is for Consent, so it can just be a statement under the text boxes and before the Create an Account button]. |
Thanks, @rallos, for your analysis! I’d still like us to implement an opt-in checkbox with this new language that blocks the user from creating an account if they do not check it. So, the main thing this advice would give us is a way around capturing users’ ages. |
Users will be blocked from creating an account if they don't agree to the privacy policy - I've added a line for the 'contract' based approach for age requirements and kept both checkbox opt-ins. Note: all copy is placeholder. Removed explicit DOB fields, added language re: age requirements above sign up button (Including revisions to explicit age verification approaches below as a fall back) Original design revised per feedback in #560 - if we decide to keep DOB Simplified approach to age verification - radio button |
Just to be clear, if we adopt the "contract" method then we DO NOT need to capture age for any purpose. I believe the PM agreed we would adopt the contract method, and thus AGE capture requirements can be removed from the UI and backend. |
Ok - based on the feedback on this card I'm going to close this card. We are going to take care of the opt-in checkbox (with this new language that blocks the user from creating an account if they do not check it), in this card: #560. |
Background
GDPR provides the following requirements for Consent by Minors
Child Consent Requirements:
Issues to be addressed
Asking the user's birthday (I think we can simply ask the year of birth, or their age):
Notifying users's parents if user is under the consent age:
We'll need to determine what the specific requirements are from an LTI/LMS perspective @jeremydean.
The text was updated successfully, but these errors were encountered: