It is estimated that one in three Internet users is a child[1], and the number of children being online is growing rapidly with more time spending on the Internet than ever before.[2]

A report from 2020 showed that children had spent around 134 to 219 minutes per day to be online.[3] The 2023 report from Ofcom[4] shows that almost all children went online (97%).[5] Undoubtedly, this trend has created opportunities for children to learn, communicate and socialise, in addition to bring them to a greater world with lots of information; however, it also enhances the cyber threats and risks exposing to children, including a threat of their personal data being collected and processed illegally by online service providers.[6] The recent development in the US where 41 states sue Meta for “harvesting [young users’] data and violating federal laws on children’s privacy” exemplifies this threat.[7]

Accordingly, it is a critical need for governments worldwide to adopt policies to protect children’s personal data in a digital world. Having said that, there may be an implementation gap when applying those policies in practice which may create legal loopholes or inadequate compliance from the governed entities. In this essay, the author will analyse the existing policies of the European Union (hereinafter “EU”) and Vietnam. For the EU, the analysis will focus on the requirements under its General Data Protection Regulation or vastly known as GDPR.[8] For Vietnam, the focus will be requirements under the Law on Children[9] and Decree 56,[10] the Law on Cybersecurity,[11] and Decree 13.[12] Based on such analysis, the author will highlight the common issues that both jurisdictions encounter when the regulations are implemented in practice, namely issues of ambiguous privacy policies, and age and parental consent verification. In this essay, parental consent should be broadly understood as consent provided by children’s parents or guardians who hold parental responsibility over a child. The same interpretation also applies to use of the term “parent(s)”.

The essay is structured as follows: Section 2 reviews the regulations of the EU and Vietnam respectively, Section 3 analyses the common issues in both jurisdictions�� approaches, then Section 4 concludes.

2.1 EU’s GDPR

GDPR, approved by the EU Parliament in 2016, has replaced Directive 95/46/EC (1995 Directive) and been effective since 25 May 2018. The Regulation is now one of the main pillars constituting the EU’s legal framework on personal data protection.[13] In comparison with the 1995 Directive, GDPR has broadened data subjects’ rights, introduced new principles and rules for processing personal data.[14] Among others, GDPR has adopted new set of specific rules for protecting children’s personal data.[15]

There is no definition of “children” under GDPR. However, GDPR regards children as “vulnerable natural persons” and the processing of children’s personal data may lead to risks to the rights and freedoms of children of “varying likelihood and severity”,[16] and thus, “[c]hildren merit specific protection with regard to their personal data”.[17] On that basis, GDPR imposes a number of obligations when processing children’s personal data. The first prominent obligation is the consent requirement. GDPR requires that when consent is the lawful basis for processing personal data and the “information society services”[18] are offered directly to a child, the child’s consent must be obtained if the child is from 16 years old, and if the child is below 16 years old (or the lower age determined by the Member States provided that such age will not below 13 years old), parental consent will be required.[19] Controllers are further required to “make reasonable efforts to verify” whether the consent “is given or authorised by the holder of parental responsibility over the child” in light of the available technology.[20] Notably, this specific consent requirement applicable to the processing of children’s personal data is the totally new concept under GDPR, compared to its predecessor.[21]

Another obligation of controllers is to provide the information relating to the personal data processing to data subjects in a concise, clear, transparent and plain language, especially information addressed to a child.[22] In this regard, Recital 58 of GDPR clarifies that the information and communication addressed to a child must be child-friendly to the extent that “the child can easily understand”. WP29 further elaborates that the element of a “concise and transparent” manner under GDPR requires the information and communication to be delivered in efficient and succinct ways to “avoid information fatigue”.[23]

GDPR also allows a child to request controllers to erase his or her personal data if such data is collected, on the basis of consent set out under Article 8(1), for offering information society services.[24] As further clarified under Recital 65 of GDPR, this right is granted data subjects a chance to remove their personal data which was provided previously with their own consent but such consent was given when they were children and not able to fully understand the risk associated with the provision of data. Most importantly, this right can be exercised even when the data subject is no longer a child. However, the right is not absolute because it cannot be applied in cases where processing data is necessary for exercising the right of freedom of expression, serving public interests, scientific, historical or statistical purposes, or legal claims.[25]

Other protections under GDPR include the profiling restriction, establishment of codes of conduct and supervisory. In terms of profiling, it is noteworthy that there are no articles in GDPR clearly prohibiting such activities on children. However, Recital 38 requires specific protection to be applied to the use of children’s personal data for the marketing and profiling purposes, and Recital 71 provides that decision-making based on profiling “should not concern a child”. Based on those grounds, some experts formed a conclusion that GDPR prohibited profiling activities on children.[26] However, in 2018, WP29 clarified that GDPR did not impose “an absolute prohibition on this type of processing in relation to children” but noted that profiling for marketing purposes targeted on children should be refrained.[27] Regarding codes of conduct, Member States and their national supervisory authorities, the European Data Protection Board, and European Commission are encouraged to constitute codes of conduct attributable to the application of GDPR, and among others, the protection of children’s personal data and the methods to obtain children’s parental consent.[28] Furthermore, Member States’ supervisory authorities are required to promote public awareness of the risks, rules, safeguards and rights in relation to personal processing, and “specific attention” should be paid to “activities addressed specifically to children”.[29]

 2.2 Vietnam’s legal framework

In Vietnam, there are nearly 70 legal documents, including laws, decrees and circulars, governing the protection of personal data.[30] Those documents can be divided into two main groups which are general regulations applicable to all sectors and industries, and sectoral-specific regulations (eg banking, healthcare, insurance, etc).[31] The requirements for protecting children’s personal data are within the scope of general regulations, and laid down in various legal documents instead of one consolidated law. To clarify, the Law on Children and Decree 56 set out the basic principles and obligations, while the Law on Cybersecurity and Decree 13 further clarify and supplement to those principles and obligations. In addition to those documents, the Law on Consumers’ Rights Protection[32] will also be reviewed in relation to the requirements on contracts and policies engaged with consumers.

Under the law of Vietnam, children are those under 16 years of age.[33] Children’s personal data includes information on names, ages, personal identifiable characteristics, health status and other information in the health records, personal images, family members and caregivers, personal property, phone numbers, emails, residence addresses, schools and academic records, friends and provided services.[34] Recently, Decree 13 clarifies that personal data should be divided into basic and sensitive personal data.[35] Accordingly, apart from the health information which is sensitive data, other information is classified as children’s basic personal data.[36]

Based on the recognition of children’s right to privacy as one of the fundamental rights to be protected[37], the Law on Children imposes a number of obligations to protect children’s personal data, including the obligation to protect those data in cyberspace. The Law on Cybersecurity also reinstates that children’s personal information must be protected in cyberspace.[38] Additionally, Decree 13 underscores that processing children’s personal data must comply with the principle of protecting children’s rights and best interests.[39] In particular, among others, the laws require individuals and organisations providing information and media products, services and activities online to implement measures to ensure the safety and privacy of a child’s private life, as well as cooperate with competent authorities in preventing and combating violations against a child’s rights.[40]

In terms of legal basis to process children’s personal data, consent is the key basis. Under the law of Vietnam, any persons who wish to collect and process a child's personal data must obtain the consent from his or her parents or guardians if the child is below 7 years old, or consent from both the child and his or her parents or guardians if the child is 7 years old or older.[41] However, the consent requirement will not be applicable in the following cases: where the processing is necessary to protect one’s life or health, or the data must be disclosed in accordance with laws, or the processing of the state’s authorities is necessary to protect national interests and securities, or the processing is necessary to perform data subject’s contractual obligations, or the processing serves for the operation of a state’s authorities in accordance with laws.[42]

In light of the above principles and requirements, to protect children online, Vietnamese laws require data controllers, data processors and third parties to verify children’s ages before processing data.[43] In addition, online service providers must employ tools and measures to protect children’s person data and send warning messages when children’s data is provided or amended.[44] Also, there must be a mechanism in place for a child and his or her parents or guardians to withdraw consent to process data at any time they wish to.[45] Regarding the processing of children’s sensitive personal data, the child and his or her parents or guardians must be informed in advance that the data is sensitive and will be processed.[46]

Furthermore, online service providers are obliged to establish privacy policies detailing all aspects of data collection and processing, including the types of data, the data subjects’ rights under the law, and measures to protect and implement such rights.[47] The privacy policies must be written in a plain and easy-to-understand language, and in most cases, the language must be Vietnamese.[48]

Despite the regulatory efforts from legislators, practical compliance of online service providers such as social media platforms to the requirements of children’s personal protection are frequently criticised.[49] A recently released research from Surfshark, a Dutch VPN company, shows that one-third of GDPR fines related to the mishandling of children’s personal data.[50] Some notable examples include Dutch Data Protection Authority’s fine of € 750,000 on TikTok in 2021 for not providing Dutch version of its privacy statement which made Dutch child users hardly to understand the contents;[51] Irish Data Protection Commission’s fine of €405 million on Instagram (Meta) in 2022 for letting children users set up business accounts that displayed their contact information[52] and fine of €345 million on TikTok in 2023 for violations related to the platform settings for child users, age verification and transparency information for children.[53] In Vietnam, the Ministry of Information and Communications recently conducted a thorough investigation into TikTok’s operation in the country and found a series of violations against Vietnamese laws, including those against children’s privacy.[54] Such news demonstrate that there are still gaps between the regulatory requirements on protecting children’s personal data in cyberspace and the practical application of such requirements by governed entities.

Upon reviewing the EU’s and Vietnam’s requirements, the author finds that there are two practical common issues for both jurisdictions which are lacks (1) child-friendly privacy policies and (2) effective methods to verify children's ages and obtain parental consent.

Apart from the legislation analysed in Section 2, the author notes that there are guidelines from the authorities as well as experts in relation to the implementation of requirements in practice, especially for the EU. Those guidelines will also be considered in this Section, where appropriate. For the context of Vietnam, on 01 June 2021, the Prime Minister adopted Decision No. 830/QD-TTg approving the national programme protecting and supporting children’s safe and creative interaction on the Internet for the period of 2021 – 2025 (hereinafter “Decision 830”).[55] Among others, Decision 830 calls upon enterprises providing services in cyberspace to adopt measures and tools to ensure children’s privacy on the Internet.[56] However, the Decision does not specify what types of technology, measures or tools should be used to perform such obligations. Consequently, it is noteworthy that in Vietnam there is no practical guidance available at the moment for implementing the requirements on privacy policies as well as age and parental consent verification. However, for the purpose of the analysis, the author considers applying the EU’s guidelines similarly to the case of Vietnam because its newest regulation on personal data protection (ie Decree 13) mirrors and aligns with GDPR on those aspects,[57] while previously-adopted documents do not provide any clarification on the issues.

3.1  Ambiguous privacy policies

How children understand about consent and commercial practices in cyberspace, and to what extent a child can make informed choices about their personal data online are mutual concerns of the public.[58] To improve the children’s understanding of the data processing activities, it is critical for them to be informed by “[w]ell implemented legible terms and conditions”.[59] In its Transparency Guidelines, WP29 introduces a number of methods to ensure the compliance of a clear, concise, transparent and plain-language requirement on privacy policy, such as using layered statement/ notice, or avoiding using language qualifiers.[60] For information providing to children, WP29 recommends using child-centred language instead of normal legal language.[61] Visualisation tools such as icons and certification marks are also encouraged to be used.[62] From the experts’ side, some suggestions to adopt a child-friendly privacy policy include “legal (information) design” which encourages the combination of visual effects and understandable language (eg avoiding legal jargons, use plain language with correct grammar and punctuation rules) and “participatory design” which calls upon the participation of all stakeholders, including lawyers, regulators, developers, and especially children, in the process of constituting a privacy policy.[63] Involving children in the process of designing information provided to them is also considered best practice in making child-friendly privacy policies.[64]

Although the requirements and guidelines are in place, privacy statements have not been written in a way that is child-friendly or specifically for children.[65] There is also no uniform standard for a child-centred privacy policy.[66] Textual analysis of privacy policies of three platforms commonly used by children, including Instagram, Snapchat and TikTok, found that such policies remain long, hard to understand and mostly text-based with vague terms which are not friendly to a child at all, in addition to not providing adequate information relating to the children’s data processing activities as required.[67] Furthermore, practical example of the EU’s and Vietnam’s recent investigations into TikTok demonstrate that its privacy policy is not transparent enough for a child.[68] In this particular case of TikTok, it is well noted that although the platform has a separate privacy policy for the EU’s users,[69] such version has still not been in compliance with the GDRP’s requirements.

 3.2 Age and parental consent verification

As analysed, both GDPR and Vietnamese laws require digital service providers to verify children’s ages[70] and obtain parental consent before providing online services to children. In terms of age verification methods, WP29 specifies that:

Age verification should not lead to excessive data processing. The mechanism chosen to verify the age of a data subject should involve an assessment of the risk of the proposed processing. In some low-risk situations, it may be appropriate to require a new subscriber to a service to disclose their year of birth or to fill out a form stating they are (not) a minor. If doubts arise the controller should review their age verification mechanisms in a given case and consider whether alternative checks are required.[71]

For parental consent, WP29 suggests that verification via parents’ emails may be sufficient in low-risk cases; however, for high-risk cases, other methods should be used to verify such as requiring parents to make a bank transaction.[72] WP29 also notes that controllers have sole discretion in selecting the appropriate verification methods based on a case-by-case basis but warns that the methods should not massively collect personal data.[73]

Having said that, similar to an issue of privacy policies, the effectiveness of methods used by providers to verify ages and parental consent in practice is questionable.[74] Upon reviewing 24 apps and platforms popular with children,[75] Simone et al concluded that the most commonly used method to verify age is children’s self-declaration which is not an adequate form of age verification for all cases, especially for high-risk cases.[76] One notable problem of self-declaration is that children can provide false date of birth to sign up for online services.[77] Furthermore, the research also found that most service providers do not provide privacy-enhance solutions for age verification.[78]

For parental consent, it is normally obtained through the parents’ or guardians’ emails or credit card verification.[79] Both methods are insufficient to verify the parental consent as there is no actual verification on the one who gives consent: children themselves can approve the account by accessing to the verification email and in case of card verification, the card can be of someone’s else rather than children’s parents.[80] Furthermore, it is also noteworthy that “[i]n most cases where parental consent is sought it is quite general and does not constitute consent to a specific data processing activity as required by the GDPR.”[81] Probably at the moment there may be no practically effective methods for obtaining parental consent under GDPR[82] and this may be the same situation for Vietnam.

Both the EU and Vietnam have adopted sets of legal requirements applicable to digital services providers to protect children’s personal data on the Internet. For the EU, GDPR introduces parental consent concept, underscores the need for providing a clear and transparent information about children’s personal data processing, and urges stakeholders to comply with the requirements. For Vietnam, based on the basic principles set out under the Law on Children and further clarified under the Law on Cybersecurity, Decree 56 and Decree 13, service providers are required to comply with the consent requirements, adopt legible privacy policies and cooperate with authorities in protecting children online.

Nevertheless, the compliance with such requirements is questionable. Recent penalties and investigations imposed on online service providers in both jurisdictions show a gap between regulatory requirements and practical implementation. Common issues in the EU’s and Vietnam’s approaches include the service providers’ failure to adopt child-friendly privacy policies as well as effective methods to verify age and parental consent. In further analysis of the issues, the author finds that while the EU has adopted series of practical guidelines on the implementation of GDPR’s requirements on those aspects, such same-nature documents are absent in the case of Vietnam. However, ironically, the outcome seems to be same for both jurisdictions: the violations by some children-popular platforms are similar in nature and degree. This raises a scepticism over the effectiveness and practicality of regulations on protecting children’s personal data in the cyberspace and requires further academic research to discover the root causes as well as mitigation measures for the issues. As recognised under both the EU’s and Vietnam’s laws, children are vulnerable and their personal data in the digital world must be protected to ensure their best interests. To conclude, the author concurs with Simone et al that in addition to the compliance obligations of digital service providers, “there is also a task for regulators to ensure that the law is enforced so that the rights of children are taken seriously.”[83]

Author: Hoang Le Quan

Footnotes

[1] European Commission, ‘Creating a better Internet for kids’ (7 June 2022) <https://digital-strategy.ec.europa.eu/en/policies/better-internet-kids> accessed 2 November 2023.

[2] United Nations, ‘Global Issues: Child and Youth Safety Online’ (no date available) <https://www.un.org/en/global-issues/child-and-youth-safety-online> accessed 2 November 2023 [hereinafter United Nations].

[3] David Smahel, Hana Machackova, Giovanna Mascheroni, Lenka Dedkova, Elisabeth Staksrud, Kjartan Ólafsson, Sonia Livingstone and Uwe Hasebrink, ‘EU Kids Online 2020: Survey results from 19 countries’ (The EU Kids Online Network, 2020).

[4] Ofcom is the UK's communications regulator.

[5] Ofcom, ‘Children and Parents: Media Use and Attitudes’ (29 March 2023).

[6] United Nations (n 2).

[7] Cristiano Lima and Naomi Nix, ‘41 states sue Meta, claiming Instagram, Facebook are addictive, harm kids’ (The Washington Post, 24 October 2023) < https://www.washingtonpost.com/technology/2023/10/24/meta-lawsuit-facebook-instagram-children-mental-health/> accessed 2 November 2023.

[8] Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [2016] OJ L 119/1.

[9] Law No. 102/2016/QH13 dated 05 April 2016 of the National Assembly on Children (Law on Children). See the official English translation of the Law on Children at https://vbpl.vn/TW/Pages/vbpqen-toanvan.aspx?ItemID=11044&Keyword=Law%20on%20Children accessed 9 November 2023.

[10] Decree No. 56/2017/ND-CP dated 09 May 2017 of the Government detailing a number of articles of the Law on Children (Decree 56). See the official English translation of Decree 56 at https://vbpl.vn/TW/Pages/vbpqen-toanvan.aspx?ItemID=11109&Keyword= accessed 9 November 2023.

[11] Law No. 24/2018/QH14 dated 12 June 2018 of the National Assembly on Cybersecurity (Law on Cybersecurity). See the unofficial English translation of the Law on Cybersecurity at https://www.economica.vn/Content/files/LAW%20%26%20REG/Law%20on%20Cyber%20Security%202018.pdf accessed 9 November 2023.

[12] Decree No. 13/2023/ND-CP dated 17 April 2023 of the Government on personal data protection (Decree 13). See the unofficial English translation of Decree 13 at https://eurochamvn.org/wp-content/uploads/2023/02/Decree-13-2023-PDPD_EN_clean.pdf accessed 9 November 2023.

[13] Feikert-Ahalt Clare, Jenny Gesley, Elin Hofverberg, Nicolas Boring, Kayahan Cantekin, Eduardo Soares, Georgiana Grozescu, Graciela Rodriguez-Ferrand, and U.S. Global Legal Research Directorate Law Library of Congress, ‘Children's online privacy and data protection in selected European countries: European Union, Denmark, France, Germany, Greece, Portugal, Romania, Spain, Sweden, United Kingdom’ (2021) <https://www.loc.gov/item/2021680641/> accessed 10 November 2023.

[14] Karolina Mojzesowicz, ‘Session 1: The GDPR: history, rationale and future guidance’ (Roundtable on the GDPR and children’s rights conference, Brussels, June 2017).

[15] Ibid.

[16] GDPR, recital 75.

[17] GDPR, recital 38.

[18] They are defined as any “service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. See Directive 2015/1535 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (codification) [2015] OJ L 241/1, art 1(1)(b).

[19] GDPR, art 8(1).

[20] GDPR, art 8(2).

[21] Milda Macenaite and Eleni Kosta, ‘Consent for processing children’s personal data in the EU: following in US footsteps?’ (2017) 26:2 Information & Communications Technology Law 146.

[22] GDPR, art 12(1).

[23] Article 29 Data Protection Working Party, ‘Guidelines on transparency under Regulation 2016/679’ (2018) WP260 rev.01, [8] [hereinafter WP29 Transparency Guidelines].

[24] GDPR, art 17(1)(f).

[25] GDPR, recital 65.

[26] Milda Macenaite, ‘From Universal Towards Child-Specific Protection of the Right to Privacy Online: Dilemmas in the   General Data Protection Regulation’ (2017) 19(5) New Media and Society 765, 771.

[27] Article 29 Data Protection Working Party, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’ (2018) WP251 rev.01, 28-29.

[28] GDPR, arts 40(1) and 40(2)(g).

[29] GDPR, art 57(1).

[30] Hoa Chu, ‘Legal Framework for Personal Data Protection in Vietnam’ in Thanh Phan, Daniela Damian (eds), Smart Cities in Asia: Regulations, Problems, and Development (Springer 2022).

[31] Pham Hong Hanh, 'Protecting Personal Data Pursuant to the Vietnamese Law: Regulations, Appraisal and Recommendations' (2022) 5 International Journal of Law Management & Humanities 1409.

[32] Law No. 59/2010/QH12 dated 17 November 2010 of the National Assembly on Consumers’ Rights Protection (Law on Consumers’ Rights Protection). See the unofficial English translation of the law at https://www.aseanconsumer.org/file/pdf_file/Vietnam%20Legislation%20-%20Law%20on%20Protection%20of%20Consumer%20(english).pdf accessed 9 November 2023.

[33] Law on Children, art 1.

[34] Decree 56, art 33.

[35] Decree 13, arts 2.3 and 2.4.

[36] Ibid.

[37] Law on Children, art 21.

[38] Law on Cybersecurity, art 29.1.

[39] Decree 13, art 20.1.

[40] Law on Children, art 54.2; Law on Cybersecurity, arts 29.2 and 29.3.

[41] Decree 56, art 36.1; Decree 13, art 20.2.

[42] Decree 13, art 17.

[43] Decree 13, art 20.2.

[44] Decree 56, art 36.2.

[45] Decree 56, art 36.3.

[46] Decree 13, art 28.3.

[47] Decree 13, arts 26 and 27.

[48] Law on Consumers’ Rights Protection, art 14(2).

[49] Samuel M. Roth, 'Data Snatchers: Analyzing TikTok's Collection of Children's Data and Its Compliance with Modern Data Privacy Regulations' (2021) 22 Journal of High Technology Law 1 [hereinafter Roth].

[50] Surfshark, ‘⅓ of social media's GDPR fines linked to children’ (7 November 2023) <https://surfshark.com/research/chart/social-media-gdpr-fines> accessed 15 November 2023.

[51] European Data Protection Board, ‘Dutch DPA: TikTok fined for violating children’s privacy’ (22 July 2021) <https://edpb.europa.eu/news/national-news/2021/dutch-dpa-tiktok-fined-violating-childrens-privacy_en> accessed 15 November 2023.

[52] Data Protection Commission, ‘Data Protection Commission announces decision in Instagram Inquiry’ (15 September 2022) <https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-instagram-inquiry> accessed 15 November 2023.

[53] Data Protection Commission, ‘Irish Data Protection Commission announces €345 million fine of TikTok’ (15 September 2023) <https://www.dataprotection.ie/en/news-media/press-releases/DPC-announces-345-million-euro-fine-of-TikTok> accessed 15 November 2023.

[54] Viet Nam News, ‘Inspection results on TikTok operations in Việt Nam released, multiple violations detected’ (6 October 2023) <https://vietnamnews.vn/society/1594820/inspection-results-on-tiktok-operations-in-viet-nam-released-multiple-violations-detected.html> accessed 15 November 2023 [hereinafter VNA].

[55] There is no English translation available for Decision 830. See summary of Decision 830’s contents at Vietnam Investment Review, ‘Vietnam announces national programme on children protection on network environment’ (5 June 2021) <https://vir.com.vn/vietnam-announces-national-programme-on-children-protection-on-network-environment-84629.html> accessed 17 November 2023.

[56] Decision 830, art 1, sec IV.9.

[57] Venture North Law, ‘New Decree on Protection of Personal Data in Vietnam and Comparison with GDPR’ (Vietnam Business Law, 21 April 2023) <https://vietnam-business-law.info/blog/2023/4/21/new-decree-on-protection-of-personal-data-in-vietnam-and-comparison-with-gdpr> accessed 16 November 2023; Manh Hung Tran, Huu Tuan Nguyen and Huyen Minh Nguyen, ‘Vietnam: Official issuance of Vietnam Decree on Personal Data Protection (PDPD)’ (Global Compliance News by Baker McKenzie, 22 April 2023) <https://www.globalcompliancenews.com/2023/04/22/https-insightplus-bakermckenzie-com-bm-technology-media-telecommunications_1-vietnam-official-issuance-of-vietnam-decree-on-personal-data-protection-pdpd_04182023/> accessed 16 November 2023.

[58] Sonia Livingstone, ‘Session 3: Do children understand the commercial nature of the internet?’ (Roundtable on the GDPR and children’s rights conference, Brussels, June 2017) [hereinafter Livingstone]. See also Virginia A.M.Talley, ‘Major Flaws in Minor Laws: Improving Data Privacy Rights and Protections For Children Under the GDPR’ (2019) 30 Indiana Int’l & Comp. Law Review 127, 149-50 (demonstrating that “a child is not deemed able to provide informed consent for their own data processing.”) [hereinafter Talley]; Mariya Stoilova, Rishita Nandagiri & Sonia Livingstone, ‘Children’s understanding of personal data and privacy online – a systematic evidence mapping’ (2021) 24 Information, Communication & Society 557, 568 (noting that there are public and policy attention to the children’s capacity to give consent online).

[59] Ibid (Livingstone).

[60] WP29 Transparency Guidelines (n 23).

[61] WP29 Transparency Guidelines (n 23), [14]-[16].

[62] WP29 Transparency Guidelines (n 23), [49]-[53].

[63] Ingrida Milkaite & Eva Lievens, ‘Child-friendly transparency of data processing in the EU: from legal requirements to platform policies’ (2020) 14 Journal of Children and Media 5 [hereinafter Milkaite et al].

[64] European Union, ‘Children’s rights in the digital environment: Moving from theory to practice. Best-practice guideline’ (Better Internet for Kids, 2021).

[65] Centre for Information Policy Leadership, ‘GDPR Implementation In Respect of Children’s Data and Consent’ (6 March 2018).

[66] Ibid.

[67] Milkaite et al (n 63).

[68] Roth (n 49), 41; VNA (n 54).

[69] Milkaite et al (n 63), 13.

[70] In case of GDPR, the age verification is rather an implicit requirement. See Simone van der Hof & Sanne Ouburg, ''We Take Your Word for It' - A Review of Methods of Age Verification and Parental Consent in Digital Services' (2022) 8 European Data Protection Law Review 61, 62 [hereinafter Simone et al].

[71] Article 29 Data Protection Working Party, ‘Guidelines on consent under Regulation 2016/679’ (2018) WP259 rev.01, 25-26.

[72] Ibid, 26.

[73] Ibid, 26-27.

[74] Caroline De Geest, Andrea Parola, David Martin, Vicki Shotbolt and Peggy Valcke (as moderator), ‘Session 5: Challenges for DPAs, industry, parents and children’ (Roundtable on the GDPR and children’s rights conference, Brussels, June 2017); VNA (n 54) (among all, Vietnamese authority requested TikTok to take measures to verify users’ ages and remove accounts of those under 13 years old, implying that TikTok currently does not have mechanism in place to verify children’s age and their parental consent).

[75] Including 18 apps and 6 platforms, see full list at Simone et al (n 70), 66.

[76] Simone et al (n 70), 69.

[77] Ibid.

[78] Simone et al (n 70), 70.

[79] Simone et al (n 70), 70-71.

[80] Ibid.

[81] Simone et al (n 70), 71.

[82] Talley (n 58), 157.

[83] Simone et al (n 70), 72.