He’s Making a List. Will Regulators Check His Privacy Practices Twice?

Santa’s practice of monitoring behavior of children across the globe has been publically disclosed for decades, but the recent implementation of the EU General Data Protection Regulation (GDPR) and enactment of the California Consumer Privacy Act (CCPA) raise new questions about the lawfulness of Santa’s activities and rights of children when it comes to collection of data about their activities, locations, and toy preferences. (The application of these laws to Santa’s elves in the employment context is beyond the scope of this article.)

A look at Santa’s operations reveals many of the theoretical and practical challenges that businesses will continue to face throughout the new year as they seek to comply with an increasingly complex legal landscape. Our understanding is that Santa is operating as a for-profit; he does charitable work, but there must be some financial incentive to living in the North Pole throughout the year. We can also safely assume that he collects data on more than 50,000 individuals, devices, or households, as there are well more than 50,000 children who celebrate Christmas in the world.

Does Santa’s collection of data from and about minors raise any special issues?

Santa’s collection of data is ubiquitous. He makes observations on children, including children under 13 years old, in public places like local malls, and sends elves to sit on the shelves of children’s homes to monitor their behavior behind closed doors. He also collects precise geo-location data to locate children who spend Christmas at Grandma’s house.

The GDPR requires that Santa obtain consent from the legal guardians of children in the EU in order to track their behavior. Santa would not be able to rely on legitimate interest as a basis for processing: the fundamental rights and freedoms of the data subject are heightened when the data subject is vulnerable (such as a child), and seeing you when you are sleeping is likely to be construed by EU regulators as an intrusion on privacy rights that cannot be justified by legitimate interest, even if safeguards are employed. Santa may also be collecting special categories of data on children in many instances—if he is in their homes, he may observe their political beliefs, religious beliefs, and health—and therefore explicit consent is required.

The CCPA does not place any restrictions on the collection of data. The only provision that would come into play due to the fact that data subjects are minors is that Santa could not sell the data of children younger than 13 without opt-in consent of their guardians. The federal Children’s Online Privacy Protection Act would not apply to Santa—it would only apply if he creates a website or online service to allow children to submit their wishlists or other information about themselves.

Can a naughty child have his bad deeds erased from the list?

The key criticism that has been leveled against the right to deletion is that such a policy may allow wrongdoers to demand erasure of evidence of their wrongdoing which might otherwise be used against them in performance decisions or legal proceedings down the road.

Under the GDPR, naughty children very well could request that Santa remove the negative information about them. As discussed, Santa’s processing must be based on consent, and the GDPR allows an individual to withdraw consent and demand deletion at any time. An exception would apply if there were a legal requirement to retain the data—but there are no record retention rules applicable to Santa.

The CCPA contains exceptions to the right of deletion that are so wide, Santa could drive a sleigh pulled by reindeer through them. First, the right only applies where the individual has provided the information directly. Data that Santa or his elves obtain through observation is not data that is provided by the individual. Second, the business is not required to delete personal information if necessary to complete the transaction for which it was collected. If a child has requested toys from Santa, then the information would be required to complete that transaction.

Finally, another exception would allow Santa to keep the data if he is otherwise using it “internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” So long as Santa isn’t disclosing the data he collects to others, then evaluating whether a child is naughty or nice is clearly within the context of the collection, and Santa could decline. (There remains, however, is an interesting interpretive question regarding whether, if Santa is using a service provider to store or organize the data, a use is still “internal.”)

Can Santa discriminate against kids who opt out of behavior tracking?

Yes. Under both the GDPR and the CCPA, Santa could provide those children with lumps of coal—or no gift at all.

The GDPR does not explicitly prohibit discrimination against individuals who opt out of tracking. It is possible in some cases that denying benefits for refusal to provide consent could render the consent not freely given. However, where the data collection is inextricably linked to the service being rendered—which it is here, because an address is necessary to deliver goods—it is likely that the consent would not be found to be coercive. The CCPA contains a provision that prohibits discrimination where an individual has exercised a right under the CCPA (though there are caveats to the application that are difficult to understand).

This would not come into play, however, with regard to Santa’s collection of behavioral data, as there is no right to opt out of the direct collection of data by a company with whom a consumer chooses to do business, or information that amounts to observations about the consumer by the company. The consumer can opt out of sharing with another company, but if Santa fulfills the gift request himself, or uses a vendor classified as a service provider, no sale has occurred. The individual can provide the information and then immediately request that a business delete it; however, as noted above, exceptions to the right to deletion may apply.

What if Santa uses AI to determine which children are naughty versus nice?

The number of children in the world is increasing, and surely Santa would find that technology would now afford him the opportunity to more easily track children and to automatically evaluate their behavior as bad or good. Under Article 22 of the GDPR, a person has a right not to be subject to automated decisionmaking that produces legal effects or significantly affects him or her. Not receiving presents at Christmas arguably significantly affects children. Santa could get around this by obtaining the explicit consent of their guardians to use AI, but he would still have to implement suitable measures to safeguard the child’s rights and freedoms and legitimate interests, and provide guardians the opportunity to contest the decision and obtain human intervention.

The CCPA does not address automated decisionmaking. However, the CCPA nonetheless has implications for AI generally. Exercise of rights to erasure, where applicable, could result in data sets being less rich, making algorithms less accurate. Further, the CCPA’s requirement that companies provide granular privacy notices that tie categories of data collected to purposes of the collection could put companies in a difficult position when it comes to analytics.

If a company has represented that it collects physical addresses to deliver products, use of that data elsewhere to analyze regional preferences of consumers would be deceptive. But if the company writes in its privacy policy that all data collected could be used for improvement of products and services, it becomes vulnerable to criticism that it did not provide the granularity required by the law, and that it is using boilerplate statements intended to obfuscate.

Santa’s Data Protection Officer will no doubt be busy in 2019.