從美國兒童線上隱私保護法檢視數位時代兒童個人資料保護法制推動課題

Legal Study on Children’s Data Protection Legislation under Digital Environment from the Perspective of US Children’s Online Privacy Protection Act

兒童對於個人資料因使用網路服務與資訊設備從而遭到不當蒐集與利用一事，往往欠缺必要的認知與防備能力。美國在網路開放商業使用未久便通過兒童線上隱私保護法（Children’s Online Privacy Protection Act, COPPA）並由聯邦貿易委員會制定 COPPA 規則，凡以兒童為目標客群的平台或線上服務，經營者蒐集兒童個人資料時必須取得父母事前同意並確保該等同意可資驗證，同時符合其他要求。觀察 COPPA 實施以降代表性執法案例，由電子商務、行動應用服務至近年廣受歡迎的視訊串流與短影音平台，除反映資通訊科技及網路商務模式的遞嬗情形，也突顯出數位時代兒童隱私保護法制設計，能否揆諸科技更迭適時進行調整實至為重要。國內現行個人資料法在定位為普通法之前提下，並未特別慮及兒童之保護需求，若擬強化兒童個人資料之保護，可能作法包括仿 COPPA 制定特別法進行規範，抑或仿歐盟GDPR 於個資法中納入相關保護規定。除立法論層面之討論，本文認為關鍵當在於採納規定的可行性與落實，包括 COPPA 實務運作所突顯的平台╱網路服務是否以兒童作為目標客群之判斷，以及如何建立業界廣泛認可並可得負擔的父母事前同意確認機制。此外，能否識別網路使用者（兒童）的真實年齡亦殊為重要，導入第三方年齡驗證服務或運用人工智慧技術進行確認，是國內在研商相關法制時可併同納為考量之事項。

Children’s internet use has dramatically increased in recent years. The expansive engagement of children in cyber space triggered privacy threats, but children often lack the awareness and the capacity to foresee possible consequences. To address the growing online privacy concerns of children, US Congress passed the Children’s Online Privacy Protection Act (COPPA) in 1998 and the Federal Trade Commission enacted and implemented COPPA Rules based on COPPA. COPPA applies to operators of commercial websites and online services, according to the major requirements of COPPA, operators must obtain verifiable parental consent prior to collection and use of personal data from children. Cases tagged with COPPA which covered electronic commerce platforms, mobile applications, social networking sites and short video platforms illustrate the development and changes of Information and Communication Technologies, as technology continues to advance, it become more and more important to keep the legislation stay current by enacting frequent updates to the law. Taiwan’s Personal Data Protection Act (PDPA) was first introduced in 1996 and was significantly amended in 2010, with the amendments becoming effective in 2012. Being the basic law of data protection affairs, the PDPA did not specifically consider the protection needs of children. Considering the increasing demand for children’s privacy protection, possible approaches include formulating a section law such as COPPA, or imitating GDPR to include relevant protection provisions in PDPA. Regardless of what approach is adopted, the legislator should focus on the feasibility and implementation of relevant regulations, specifically judging whether the operators of platform or online service target the children or not, and promote acceptable and affordable parental consent verification mechanisms.