GDPR: Implement Consent for Minors under the age of 16

[ajpeddakotla]

Background

GDPR provides the following requirements for Consent by Minors
Child Consent Requirements:

1. Child must be 16 to give consent
2. We must reasonable efforts to ensure relevant parental consent given, taking into account available technology.

Issues to be addressed

• Implement a user flow that takes into account that students and/or minors are creating accounts w/ Hypothesis (something that affects us across our entire user base, particularly education).
• Example user flow from Khan Academy (where they delineate b/w users who are younger than 12, and 13-18 - we do not need to do this)

Asking the user's birthday (I think we can simply ask the year of birth, or their age):

Notifying users's parents if user is under the consent age:

We'll need to determine what the specific requirements are from an LTI/LMS perspective @jeremydean.

[dawachan]

Age consent approval flows.

Note:
I had a hard time finding sites that require explicit parental consent, most if you are below the age of consent serve up an ugly message that registration couldn't be completed.

The Khan Academy sends an email with a CTA included that allows the parent or guardian to give explicit consent.

@segdeha We will need to come up with specific language around this and for the CTA - including the email and link to the kbase article below for reference:

Hi,

Your child created a Khan Academy account and listed you as their parent or guardian. Because your child is under 13, you must approve their use of Khan Academy.

On Khan Academy, your child can access a wealth of educational content, all 100% free. Please click the button below to grant approval or your child’s account will be deactivated in 7 days.

Allow my child to use Khan Academy

Please press the button above and give your approval, or your child’s account will be deactivated in 7 days.

For more information on Khan Academy child accounts, please see our FAQ.

Our mission is to provide a free, world-class education to anyone, anywhere. Thank you for allowing your child to learn with us.

Onward! 
Sal and the Khan Academy Team

P.S. If you believe you received this email in error, you can safely ignore it and we will remove your email from our system. 

The FAQ links to a Zendesk kbase article: https://khanacademy.zendesk.com/hc/en-us/articles/202262974-How-are-child-accounts-different-than-regular-accounts.

[segdeha]

Kind of shocking how Facebook and Google treat this flow. In Facebook's case they just give a generic error message. In Google's case they say you must meet "certain age requirements". Why not list them on the page? Or point to a help article that walks the user through the requirements for their location if they vary the age limit by region? Weird to me that their flows are so broken.

[dawachan]

Proposal: Sign up form to incorporate age verification form fields

Note: this form will supplant the updated sign up form containing opt-in/opt-out fields referenced in: #560

Form with age verification fields:

Response when under 16 years old:

Response when under 16 years old (variation bold):

Response when under 16 years old (variation red):

[dawachan]

@segdeha "Kind of shocking how Facebook and Google treat this flow." I agree! With the new regulations they will probably need to step it up.

[segdeha]

Please revise these based on the feedback on #560 to match what we decided over there. Thank you!

I think this all makes sense and I just want to say I'm in favor of rearranging the order of the form fields so the age selects are next to the email address field. As the user enters their age, they will be focused on that part of the page and so will be less likely to miss that the email field changes subtly if it's in close proximity.

I'm a fan of the smallest change that does the job, so I'm not sure if we need the age notice to be red (which also makes it look like an error). This is a case where we should probably make an informed decision then do some guerrilla usability testing to see if there is a clear difference between the different options. What's your thinking about that?

[rallos]

I spoke with Andrew this afternoon and let's put a hold on the Consent Module for Age until Friday. After examining the regulation and Twitter's Privacy Policy/Terms of Service, it looks like they are using a "Binding Contract" as a legal means to collect information, rather than a Consent Module.

[dawachan]

@segdeha yes to guerrilla testing, perhaps @jeremydean might have some students (< 16) and parents we can test the flow with? i'll ping him! i'm wondering if we can just ask the simple question: are you under 16 () yes () no. that way, it's super simple to complete sign up and we're not creating a barrier to entry for our users. the rationale behind asking explicitly for month/day/year was that every other site i looked at with the exception of adult sites ask for DOB, so assumed it was probably a legal pre-requisite. based on what @rallos mentioned, i'll put further updates on hold until we have further information. great that we're considering all our options now prior to implementing.

[rallos]

I did some research on the "consent" vs. "contract performance" legal basis of processing personal data. Consent tends to be more burdensome because it has to be specific, unambiguous, and freely given, informed, and allows for withdrawal of consent, and it has to be tracked. Whereas "contract performance" tends to be straightforward because "by using the Service, you agree to form a binding contract with Hypothesis", this method also does provides the following advantage: "If you are processing on the basis of contract, the individual’s right to object and right not to be subject to a decision based solely on automated processing will not apply. However, the individual will have a right to data portability." I see that Facebook, Twitter, Reddit, Vox, etc use this method and their terms of service and privacy policies have all been updated recently April 2017-April 2018. Link to a reference I used to make the decision. Thus, let's go in the direction of "contract" rather than "consent" for Sign-Up and Use of Service. Make sure the copy says "I Agree to the Privacy Policy, Terms of Service, and Community Guidelines" (Create an Account) [There is no requirement for Opt-In for a contract like there is for Consent, so it can just be a statement under the text boxes and before the Create an Account button].

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/contract/

[segdeha]

Thanks, @rallos, for your analysis!

I’d still like us to implement an opt-in checkbox with this new language that blocks the user from creating an account if they do not check it. So, the main thing this advice would give us is a way around capturing users’ ages.

[dawachan]

Users will be blocked from creating an account if they don't agree to the privacy policy - I've added a line for the 'contract' based approach for age requirements and kept both checkbox opt-ins. Note: all copy is placeholder.

Removed explicit DOB fields, added language re: age requirements above sign up button

(Including revisions to explicit age verification approaches below as a fall back)

Original design revised per feedback in #560 - if we decide to keep DOB

Simplified approach to age verification - radio button

[rallos]

Just to be clear, if we adopt the "contract" method then we DO NOT need to capture age for any purpose. I believe the PM agreed we would adopt the contract method, and thus AGE capture requirements can be removed from the UI and backend.

[ajpeddakotla]

Ok - based on the feedback on this card I'm going to close this card. We are going to take care of the opt-in checkbox (with this new language that blocks the user from creating an account if they do not check it), in this card: #560.