Dissecting the commercial profiling of children: A proposed taxonomy and assessment of the GDPR, UCPD, DSA and AI Act in light of the precautionary principle

IF 3.3 3区社会学 Q1 LAW

Computer Law & Security Review Pub Date : 2025-05-12 DOI:10.1016/j.clsr.2025.106143

Eline L. Leijten , Simone van der Hof

{"title":"Dissecting the commercial profiling of children: A proposed taxonomy and assessment of the GDPR, UCPD, DSA and AI Act in light of the precautionary principle","authors":"Eline L. Leijten , Simone van der Hof","doi":"10.1016/j.clsr.2025.106143","DOIUrl":null,"url":null,"abstract":"<div><div>Over a decade after the Article 29 Working Party first stated that data controllers should refrain from the processing of children’s data for the purpose of behavioural advertising, children are still profiled at scale for commercial purposes, including behavioural advertising. The United Nations Convention on the Rights of the Child (‘UNCRC’) Committee urges States parties to prohibit profiling children for commercial purposes, as the practice is associated with a panoply of potential children’s rights violations and may cause children significant harm. Yet little scholarship is devoted to seeking granularity in defining what “profiling for commercial purposes” entails. The present article seeks to fill this gap and presents a new taxonomy of the various manifestations in which the commercial profiling of children occurs. This is followed by a children’s rights-based assessment of the six distinguishable manifestations of children’s commercial profiling, highlighting the importance of nuance in the academic and regulatory discourse on the subject. Whereas profiling children to <em>directly</em> monetise their personal data interferes with several children’s rights and likely causes children significant harm (although full scientific evidence thereupon is still lacking), in certain use cases profiling children for <em>indirect</em> commercial purposes may contribute to the exercise of their rights and wellbeing. The article subsequently assesses the EU regulatory framework governing the various manifestations of children’s commercial profiling through the prism of the precautionary principle, a general principle of EU law that justifies the regulation of a practice in the face of scientific uncertainty on the (long-term) harm it may cause. In the field of children’s rights, a strong precautionary approach is the norm, mandating the prohibition of practices that pose (unacceptable levels of) risk to children. The analysis dissects the relevant provisions in the General Data Protection Regulation (‘GDPR’), the Unfair Commercial Practices Directive (‘UCPD’), the Digital Services Act (‘DSA’) and Artificial Intelligence Act (‘AI Act’), to conclude that primarily, yet merely in theory, the GDPR is adequately equipped to uphold children’s rights in this regard, as the fairness and transparency principles that are cornerstones to the GDPR do not allow for the processing of children’s data in the context of the vast majority of children’s commercial profiling practices that remain omnipresent to date.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"57 ","pages":"Article 106143"},"PeriodicalIF":3.3000,"publicationDate":"2025-05-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Law & Security Review","FirstCategoryId":"90","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2212473X25000161","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}

引用次数: 0

Abstract

Over a decade after the Article 29 Working Party first stated that data controllers should refrain from the processing of children’s data for the purpose of behavioural advertising, children are still profiled at scale for commercial purposes, including behavioural advertising. The United Nations Convention on the Rights of the Child (‘UNCRC’) Committee urges States parties to prohibit profiling children for commercial purposes, as the practice is associated with a panoply of potential children’s rights violations and may cause children significant harm. Yet little scholarship is devoted to seeking granularity in defining what “profiling for commercial purposes” entails. The present article seeks to fill this gap and presents a new taxonomy of the various manifestations in which the commercial profiling of children occurs. This is followed by a children’s rights-based assessment of the six distinguishable manifestations of children’s commercial profiling, highlighting the importance of nuance in the academic and regulatory discourse on the subject. Whereas profiling children to directly monetise their personal data interferes with several children’s rights and likely causes children significant harm (although full scientific evidence thereupon is still lacking), in certain use cases profiling children for indirect commercial purposes may contribute to the exercise of their rights and wellbeing. The article subsequently assesses the EU regulatory framework governing the various manifestations of children’s commercial profiling through the prism of the precautionary principle, a general principle of EU law that justifies the regulation of a practice in the face of scientific uncertainty on the (long-term) harm it may cause. In the field of children’s rights, a strong precautionary approach is the norm, mandating the prohibition of practices that pose (unacceptable levels of) risk to children. The analysis dissects the relevant provisions in the General Data Protection Regulation (‘GDPR’), the Unfair Commercial Practices Directive (‘UCPD’), the Digital Services Act (‘DSA’) and Artificial Intelligence Act (‘AI Act’), to conclude that primarily, yet merely in theory, the GDPR is adequately equipped to uphold children’s rights in this regard, as the fairness and transparency principles that are cornerstones to the GDPR do not allow for the processing of children’s data in the context of the vast majority of children’s commercial profiling practices that remain omnipresent to date.

查看原文本刊更多论文

剖析儿童的商业特征：根据预防原则对GDPR、UCPD、DSA和AI法案进行拟议的分类和评估

在第29条工作组首次声明数据控制者应避免以行为广告为目的处理儿童数据的十多年后，儿童仍然被大规模地用于商业目的，包括行为广告。《联合国儿童权利公约》（以下简称《公约》）委员会敦促缔约国禁止出于商业目的对儿童进行侧写，因为这种做法与一系列可能侵犯儿童权利的行为有关，并可能对儿童造成重大伤害。然而，很少有学者致力于寻找定义“商业目的的分析”所需要的粒度。本文试图填补这一空白，并提出一种新的分类法，说明对儿童进行商业分析的各种表现形式。随后，以儿童权利为基础，对儿童商业形象的六种不同表现形式进行了评估，强调了关于这一主题的学术和监管话语中细微差别的重要性。虽然对儿童进行侧写以直接将其个人数据货币化会干扰儿童的多项权利，并可能对儿童造成重大伤害（尽管仍缺乏充分的科学证据），但在某些用例中，出于间接商业目的对儿童进行侧写可能有助于行使儿童的权利和福祉。随后，本文通过预防原则的棱镜评估了欧盟管理儿童商业形象各种表现形式的监管框架，预防原则是欧盟法律的一般原则，在面对可能造成（长期）伤害的科学不确定性时，证明了对一种做法的监管是合理的。在儿童权利领域，一种强有力的预防办法是规范，规定禁止对儿童构成（不可接受的）危险的做法。该分析分析了《一般数据保护条例》（“GDPR”）、《不公平商业惯例指令》（“UCPD”）、《数字服务法》（“DSA”）和《人工智能法》（“AI法”）中的相关条款，得出的结论是，GDPR在这方面有足够的能力维护儿童的权利，但这仅仅是理论上的。因为作为GDPR基石的公平和透明原则不允许在绝大多数儿童商业分析实践的背景下处理儿童数据，这些实践至今仍然无处不在。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Law & Security Review LAW-

CiteScore

5.60

自引率

10.30%

发文量

审稿时长

67 days

期刊介绍： CLSR publishes refereed academic and practitioner papers on topics such as Web 2.0, IT security, Identity management, ID cards, RFID, interference with privacy, Internet law, telecoms regulation, online broadcasting, intellectual property, software law, e-commerce, outsourcing, data protection, EU policy, freedom of information, computer security and many other topics. In addition it provides a regular update on European Union developments, national news from more than 20 jurisdictions in both Europe and the Pacific Rim. It is looking for papers within the subject area that display good quality legal analysis and new lines of legal thought or policy development that go beyond mere description of the subject area, however accurate that may be.