Information technologies exposing children to privacy risks: Domains and children-specific technical controls

EU data protection law requires that digital service providers and system developers put in place technical measures that are adequate to protect children's informational privacy. The stringent legal obligations of implementing principles of data protection by design into digital systems intensified the engineers' need to create processes and technological solutions to enhance children's privacy in digital services. However, in several cases, generic controls have proven to have limited effects on the protection of children's privacy, raising questions about the need to further develop children-specific technical controls. This paper contributes to address the need for privacy controls by providing (a) a summary of real-world applications of information technologies domains that expose children to privacy risks, and (b) a list that represents the state-of-the-art of the technical controls designed specifically to protect children's privacy. We identify 24 technical controls that we manually classify with NIST Security and Privacy control categories and Hoepman's Privacy design strategies. We find that most controls relate to identification and authentication, many of which in the form of techniques for age verification. In general, the vast majority of controls belong to minimization strategies. Our findings show that the field of technical controls specifically designed for children is yet to be developed.