Alexa, Are You Friends With My Kid? Smart Speakers and Children’s Privacy Under the GDPR

Abstract

This dissertation examines if two popular smart speakers, i.e. Amazon Echo and Google Home, comply with selected GDPR requirements regarding the privacy of children. Supposedly being digital natives, the trend of datafication increasingly affects them, even in protected places such as their homes. Smart speakers, which are connected to virtual personal assistants, play a big role in the collection of children’s personal data at home. In particular, children might regard the assistants as intimates and reveal a critical amount of sensitive data to them. This is why smart speakers pose severe risks to children’s fundamental right to privacy according to art.16 of the UN Convention on the Rights of the Child, art. 7 and 8 of the Charter of Fundamental Rights of the EU and art. 8 of the European Convention of Human Rights. In spite of these dangers, smart speakers are not under the same scrutiny as smart toys. In order to protect their privacy, it is vital that these devices provide a high degree of data protection for children and fully comply with applicable regulations, especially with the GDPR. This paper thus examines the Amazon Echo’s and Google Home’s compliance with the GDPR by focusing on three categories: Transparency, parental consent according to art.8 GDPR and the right to erasure. The concerning findings of this research show that both devices violate the legal requirements of the examined categories in many ways. Especially, there are doubts if the processing of children’s data by Amazon Echo and Google Home complies with the GDPR principles of lawfulness, fairness and transparency. The smart speakers’ ways of processing personal data are often completely unclear for children and parents, turning the devices into “black boxes”. Also, parental consent in line with art. 8 is rarely sought before the processing of children’s data. Finally, children’s data are potentially stored indefinitely. Thus, it is suggested that smart speakers are not yet suited for the use by children and must be completely re-designed to provide them with the specific protection they merit under the GDPR according to recital 38.