Date: 24 May 2018
Response to Follow-up Media Enquiry on Children Privacy Issues with Tik Tok
Thank you very much for your follow-up email enquiry. While it would not be appropriate for us to comment on individual cases or a specific practice before looking into the details of the specific circumstances, our general observations from the perspective of personal data privacy are as follows:
-
When a user wishes to remove the social media app or requests an account to be deleted, the app operator should offer the option to delete all app-related data and account-related information. Although there is no express provision on the means to be provided for in the Personal Data (Privacy) Ordinance (the Ordinance), according to the leaflet “Collection and Use of Personal Data through the Internet – Points to Note for Data Users Targeting at Children”, the social media platform operators (as data users) are advised to offer a readily accessible and user-friendly means for children (as account holders) to remove their accounts and all associated data collected by the social media platform operators, and to ensure that children are well informed of their rights.
-
Social media platform operators should also consider providing a single place on their online platforms for children to find out what personal data has been collected or maintained, such as a “dashboard” for children to use, change and remove all the postings and the personal data collected. The same dashboard may also include all the privacy related settings. For younger children at primary school age and below, social media platform operators may extend such dashboards to parents so that they can help younger children to manage their own personal data privacy.
-
Social media platform operators should ensure that children understand the privacy implications for posting the contents. The operators are encouraged to remind children that, despite the ability to delete posts and to use restrictive privacy settings on the platforms to limit sharing, any other members they permit to access that information may easily copy and repost the information to other public platforms in a way that the children would have no control over.
-
Social media platform operators should also keep the target audience in mind in their choice of language and presentation for privacy policy and practice. A single version of the privacy policy is not likely to ensure that it will be easily understood by different age groups especially children. The operators should develop different age-appropriate versions of the privacy policy and deploy user-friendly means to present the written privacy policy, for example by utilising graphics and animation. Consent or opt-in obtained through age-appropriate communication means would be encouraged.
The Privacy Commissioner again reminds children that before giving consent to social media platform operators to collect and process their personal data, they should clearly understand the purpose of data collection and read the
Privacy Policy and
Personal Information Collection Statement carefully to ascertain what purpose their personal data is to be collected, retained, used or shared by the operator, and to whom it is to be transferred. Children should also be vigilant and think twice before they post as there is no simple “delete button once their personal data is disclosed online. More tips on how to protect personal data privacy when using social network platforms can be found in the information leaflet
“Protecting Online Privacy – Be Smart on Social Networks”.
-
If a child suspects that his privacy rights relating to personal data are being encroached or abused, he should first seek advice from his parent. His parent or legal guardian (as the “relevant person” of the child) then should consider raising the concern with the individuals / organisations that were suspected of abusing the child’s personal information. If he is dissatisfied with their response, he can then lodge a complaint with the office of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”). Upon receipt of the complaints, the PCPD will take appropriate follow up action. If there is a prima facie case, the PCPD may initiate a formal investigation to decide if there is contravention of the Ordinance.
The information can be attributed to the Privacy Commissioner for Personal Data, Mr Stephen Kai-yi Wong.