RIGHT OF ONLINE INFORMATIONAL PRIVACy OF CHILDREN IN MALAySIA: A STATUTORy PERSPECTIVE

The advantage of digital era with unlimited access to the Internet is enjoyed by most people globally including the young and children. However, policy-makers concern with the advancement of Internet and propagate the idea of shielding and segregating the children from the harm that may cause from access to the Internet, including breach of online privacy of the children. Children are not sensitive with their online privacy or do not know how to protect their online privacy. Hence, some countries have enacted specific legislation to protect the privacy of the children such as the Children’s Online Privacy Protection Act (COPPA) in the United States of America or introduced self-regulatory initiatives on online child privacy like in the European Union. At the international level, the Convention on the Rights of the Child was introduced in 1989 by the United Nation to protect the children. In Malaysia, the government introduces the Child Act 2001 and the Sexual Offences against Children Act 2017 to protect the children. However, how far these two Acts protect the online privacy of the children in Malaysia? Thus, the article seeks to examine the legal protection of children online informational privacy in Malaysia. The article adopts doctrinal research methodology which is mainly library research approach. The article finds that the current regimes of laws do not adequately protect the online privacy of the children in Malaysia. It is suggested that amendment or enactment of the laws to that effect be made.


INTRODUCTION
The advantage of the digital era in a borderless world and unlimited access to the Internet is enjoyed by most people globally, if not all, including the young or children. While the current millennials (Lenhart, Purcell, Smith, & Zickuhr, 2010) are more computer-savvy than their parents (Heckman, 1999), children are also well versed with the Internet and enjoy digital access at a very young age. However, policy-makers are concerned with the advancement of the Internet and have propagated the idea of shielding and segregating children from harm that may be caused from access to the Internet (Allen, 2001). In addition, although there are many benefits of the Internet to children (Omar, Daud, Hassan, Bolong & Teimmouri, 2014) the harm and dangers it poses to children is worrying (Kumaran, 2016) because the online informational privacy of children is threatened by children's participation in the digital world. Moreover, children are unconcerned about their privacy (including online privacy), or do not know how to protect their informational privacy and data which are of concern to adults (Allen, 2001). Children are also unaware of the consequence and impact of revealing their personal information, either their own data or family data. As such, some countries have enacted specific legislation to protect the privacy of children like the Children's Online Privacy Protection Act (COPPA) in the United States of America (Hetcher, 2000); or introduced self-regulatory initiatives on online children privacy like in the European Union (EU) (Macenaite, 2016). At the international level, the Convention on the Rights of the Child (CRC) was introduced in 1989 by the United Nations (Lundy, 2012) to generally protect children. The CRC acknowledges that children are a group of people that needs extra care and protection. In Malaysia, the government has introduced the Child Act 2001 and the Sexual Offences against Children Act 2017 that protect children. However, how far do these two acts protect the online informational privacy of children in Malaysia? Furthermore, what drives the authors to investigate the issue of protection of online informational privacy of children in Malaysia is that research in this area is lacking. Studies by Abas (2012), Mohd and Kadir (2012), Muda and Alwi (2012) and Hussin (2007) were focused on the protection of children against physical abuse and juvenile delinquents rather than the protection of privacy itself. Research by Sarabdeen and De-Miguel-Molina (2010) were centred on general legal protection given to children in Malaysia in comparison to Spain and Australia, while Zakaria, Yew, Alias and Hussain (2011) discussed software and online tools to protect children online. Apart from the work of Wahab, Dahalan and Shahwahid (2017) which looked at the right to participate against the right to privacy among the young, to date there is hardly any research on the legal protection of online informational privacy of children in Malaysia. As such, this study seeks to examine the statutory protection of online informational privacy of children in Malaysia.

METHODS
This study adopted doctrinal research methods which were largely documentary. According to Salter and Mason (2007), doctrinal research methodology is a study that focuses on cases, rules and principles. These cases, rules and principles comprised substantive content of legal doctrines. Deploying a deductive form of legal reasoning from legal principles is a classic form of doctrinal research method. To put it simply, doctrinal research is a research which defines what the law in a particular area is. In doing so, the researcher collects and analyses the data from primary and secondary sources (Dobinson & Johns, 2007). Then, the data is analysed and discussed. The primary data from this study came from statutes which are the focus of this article, i.e. the Federal Constitution, the Penal Code, Child Act 2001, Sexual Offences against Children Act 2017, Personal Data Protection Act 2010 and Communications and Multimedia Act 1998. Malaysian cases, although quite limited, were also analysed.
This study however did not adopt a comparative methodology. Only a brief comparison was made with the position in the United States of America, and was used as a source of critique. The US position is examined due to the fact that the US introduced COPPA specifically to protect the privacy of children.

FINDINGS/RESULTS
For the purpose of clarity in this article, informational privacy rights is defined as the ability to control collection, use, and disclosure of one's personal information (Levesque, 2016). The following sections discuss the findings and results of the paper. They are divided into a few sub-headings accordingly.

Online Informational Privacy for Children in Malaysia
The proliferation of the use of the Internet in the current digital era is unstoppable. The number of Internet users and smartphone users keep increasing rapidly. In Malaysia, the Malaysian Communications and Multimedia Commission or MCMC (2017) reported that there were 24.5 million Internet users in 2016 of which, 13 per cent were below 20 years old, including some as early as 5 years old. With regards to mobile phone users (or handphone users), there were 12.5 per cent of mobile phone users in Malaysia who were below 20 years old (MCMC, 2015) where more than 80 per cent used smartphones. In 2015, it was estimated that the number of smartphone users was 11 million and was increasing at a rate of 10 per cent yearly from 2013 to 2017 (Azwar, 2016). Out of the total number of Internet users in Malaysia, 2.3 per cent of its users were under 15 years old and 14.2 per cent were between 15-19 years old (MCMC, 2013). This represented around 16.5 per cent of Internet users in Malaysia or equivalent to 3.1 million young users (MCMC, 2013). The number of "registered" users of the Internet and smartphone amongst children in Malaysia is relatively high, what more if it is inclusive of "nonregistered" users. "Non-registered" users here mean, for instance, when the registered number of the phone(s) and the smartphone itself are under the name of the parent but the device is given/used by the children. It was also reported that children used the device mostly to surf the Internet (MCMC, 2017). As such, while the number of children wandering and roaming the online world is increasing, is their informational privacy adequately protected?
It has been acknowledged that children's rights are important agenda for protection around the world, as seen by the introduction of the CRC by the United Nations. However, the rights of children in relation to Internet protection are considered as inadequate (Livingstone & O'Neill, 2014) including the protection of online privacy. Letting children in the online world will expose them to sexually explicit material, online predators and also criminals who try to lure children to reveal their personal identifiable information. The revelation of personal identifiable information or information privacy may lead to offline sexual solicitation and identity theft (Grandison, 2011). Privacy is considered as one of the core values of security (Moor, 1997) and thus, protecting children's online privacy is imperative (Bélanger, Crossler, Hiller, Park, & Hsiao, 2013). It is pertinent that the online privacy of children be protected in Malaysia. In Malaysia, as discussed earlier, the legislation protecting the online privacy of children is lacking. This is because the online protection as provided by the abovementioned acts in Malaysia is only concerned with the protection of children against criminal acts, either online or physically. Acts like the Penal Code, the Sexual Offences against Children Act 2001 and the Communications and Multimedia Act 1998 protect children against child pornography, online grooming, harassment, etc. The Child Act 2001, for instance, governs mainly the protection of children in relation to physical abuse (Abas, 2012;Muda & Alwi, 2012). Even the Personal Data Protection Act 2010 does not explicitly provide for the online information privacy of children. Likewise, the apex law of the land, the Federal Constitution also does not specifically provide for the protection of privacy of children although the right to privacy is recognised. This is despite the fact that children are very vulnerable and do not know how to manage their privacy in the online world. Besides, with the explosive use of online social networks, the risk of privacy infringement against children is greater. Their personal identifiable information is easily available, accessible and open to being stolen or abused over online social networks (Zakaria, Yew, Alias, & Husain, 2011).

Legislation on Privacy and Personal Data Protection in Malaysia
The following subheadings discuss the current legislation in Malaysia that governs the issue of privacy protection. There are mainly two pieces of legislation for that matter, namely the Federal Constitution of Malaysia and the Personal Data Protection Act 2010.

Federal Constitution
The Malaysian Federal Constitution does not spell out explicitly the right to privacy as one of the fundamental rights in Malaysia, but does provide for several related rights, including right to life and personal liberty, right to freedom of movement, freedom of assembly, speech and freedom of association. Certain restrictions may be imposed on the rights granted by way of law in order to safeguard the interest and security of the Federation and to maintain public order (Ayub & Yusoff, 2007). In other words, the fundamental rights and liberties granted under Part II of the Constitution are not absolute. However, under the subheading of rights to fundamental liberties, article 5 of the Constitution is said to be the most important, where the right to life and personal liberty are provided. Under article 5(1), it provides that "No person shall be deprived of his life or personal liberty save in accordance with the law." The expressions "life" and "personal liberty" have been construed widely by the apex court of Malaysia to cover all aspects of life including the right to privacy  Nevertheless, the need to have an express recognition of the right to privacy in Malaysia is pertinent with the advancement of technology  and the coming of the fourth industrial revolution. There must be an express statutory recognition of the right to privacy in Malaysia, either by way of introduction of specific legislation governing privacy or by way of insertion of a few provisions under the Federal Constitution or statutes. Furthermore, as argued by , the application of English common law principle in protecting the right to privacy in Malaysia is no longer adequate.

Personal Data Protection Act 2010
The Personal Data Protection Act 2010 ("PDPA") is another piece of legislation which regulates the "processing of personal data in commercial transactions and to provide for matters connected therewith and incidental thereto" as provided under the Preamble of the Act. Under the Act, "personal data" means -"…any information in respect of commercial transactions, which-(a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject;…" Based on the above, the focus of the Act is the protection of personal data which contains all those principles in order to satisfy minimum requirements for the law governing collection and processing of personal data. The PDPA 2010 covers only personal data processing of "commercial transactions". As such, the customer's name, address, contact number and some other information given in order to complete a transaction, that data or personal information is protected under the Act . This indirectly protects the "information privacy" of the data subjects which becomes a growing concern to multiple stakeholders including business leaders, privacy activists, scholars, government regulators, and individual consumers (Smith, Dinev & Xu, 2011).
With regards to the protection of information privacy or personal data of children, they are defined as "relevant person" in the Act, when a person or a data subject is below the age of eighteen years old, section 4 of the Act states that the parent, guardian or person who has parental responsibility for the data subject will be responsible and act on behalf of the children. Then, throughout the Act, the word "relevant person" is used to refer to the parent, guardian or person who has parental responsibility over the children. The question is, as argued prior to this, are parents able to monitor and "act" on behalf of their children, to protect their children online, when their children are more computer-savvy than themselves? As such, we look further into the online privacy of children in Malaysia.

Legislation on Child Protection in Malaysia
The United Nations introduced the Convention on the Rights of the Child (CRC) in November 20, 1989 and it came into force on September 2, 1990(United Nations, 2017Lundy, 2012). The CRC is considered as a universal legal instrument that is recognised as an international legal instrument. The CRC incorporates the full range of human rights to children including civil, cultural, economic, political and social rights (Livingstone & O'Neill, 2014). Article 3(1) of the CRC states that "…in all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration." Furthermore, the "States Parties undertake to ensure the child such protection and care as is necessary for his or her well-being, taking into account the rights and duties of his or her parents, legal guardians, or other individuals legally responsible for him or her, and, to this end, shall take all appropriate legislative and administrative measures" as provided under Article 3(2) of the CRC (United Nations, 2017). The States Parties henceforth, need to take measures in introducing which are adequate and appropriate, legally and administratively, taking into consideration the best interest of the child. Though, what is in the child's best interest may differ and is difficult to determine (Livingstone & O'Neill, 2014).
Malaysia has ratified the United Nation's Convention on the Rights of Child (CRC) with reservations which are -"The Government of Malaysia accepts the provisions of the Convention on the Rights of the Child but expresses reservations with respect to articles 2, 7, 14, 28 paragraph 1(a) and 37, of the Convention and declares that the said provisions shall be applicable only if they are in conformity with the Constitution, national laws and national policies of the Government of Malaysia." The reservations made by the Malaysian government on the said articles of the CRC were mainly based on Malaysian sensitivity towards ethnicity, religion, race and customs which are very diverse in Malaysia. It is also aimed at creating stability and sustaining harmony in Malaysia. At the national level, a protection policy for children known as the National Child Protection Policy underlines strategies and activities to prevent and respond to the neglect, abuse, violence and exploitation of children. In the policy, exploitation refers to the use of children in activities that enable other parties to benefit in the form of financial, sexual, political and other interests that could threaten the physical and psychological well-being or survival of children (Department of Social Welfare, 2018). In complying with the ratification of the CRC, Malaysia enacted a few acts namely the Child Act 2001, amended the Education Act 1996 and recently introduced the Sexual Offences against Children Act 2017. These acts are among a few acts that govern the protection and welfare of children in Malaysia. For the purpose of this sub-heading, only the Child Act 2001 and the Sexual Offences against Children Act 2017 are briefly discussed.

Child Act 2001
The Child Act 2001 was enacted, introduced and enforced in 2001. The preamble of the Child Act 2001 provides that it is an Act to consolidate and amend laws relating to the care, protection and rehabilitation of children and to provide for matters connected therewith and incidental thereto. Based on the protection given under the Act, it has been argued that the Act only extends its protection for children in regards to mainly abuse. Although there is no definition of the term "abuse" in the Act, section 17(2) of the Act provides for examples of abuse to include physical abuse, neglect, sexual abuse, and emotional abuse (Muda & Alwi, 2012). Abas (2012) classified four forms of child abuse under the Act, namely, physical, emotional, sexual and neglect.
The Child Act (section 17(2)(a) provides that -"(2) For the purposes of this Part, a child is-(a) physically injured if there is substantial and observable injury to any part of the child's body as a result of the non-accidental application of force or an agent to the child's body that is evidenced by, amongst other things, a laceration, a contusion, an abrasion, a scar, a fracture or other bone injury, a dislocation, a sprain, haemorrhage, the rupture of a viscus, a burn, a scald, the loss or alteration of consciousness or physiological functioning or the loss of hair or teeth." As such, a child is considered to be physically abused if there is substantial and observable injury to any part of the child's body; that the parent or guardian caused the injury; an act or omission that occurs intentionally or with intent to injure the child (Muda & Alwi, 2012;Abas, 2012).
Further, section 17(2)(b) states that emotional abuse is -"…emotionally injured if there is substantial and observable impairment of the child's mental or emotional functioning that is evidenced by, amongst other things, a mental or behavioural disorder, including anxiety, depression, withdrawal, aggression or delayed development." Based on the provision, emotional abuse is a psychological trauma and may also refer to the acts or omissions of the parents or guardians who treat their children in a negative behaviour (Abas, 2012).
The other form of abuse against children is sexual abuse. Section 17(2)(c) provides that a child is -"(c) sexually abused if he has taken part, whether as a participant or an observer, in any activity which is sexual in nature for the purposes of -any pornographic, obscene or indecent material, (i) photograph, recording, film, videotape or performance; or sexual exploitation by any person for that person's or (ii) another person's sexual gratification." This provision may also include the act of paedophiles and child pornographers. But what is obscene or indecent in relation to the sexual abuse of children is not defined in the Act. The term "indecent" is discussed in the later part of this paper.
Another form of protection given to children under the Act is protection against "neglect". Neglect can be defined as the persistent and serious failure to provide basic physical, emotional and development needs in terms of health, education, emotional development, nutrition, shelter and safe life for children (Abas, 2012). It is an offence as provided under the Act against any form of abuse, neglect, ill-treatment, abandonment or exposing children to these conditions. Section 31(1) of the Act clearly states that "any person who, being a person having the care of a child; abuses, neglects, abandons or exposes the child in a manner likely to cause him physical or emotional injury or causes or permits him to be so abused, neglected, abandoned or exposed; or sexually abuses the child or causes or permits him to be so abused, commits an offence and shall on conviction be liable to a fine not exceeding twenty thousand ringgit or to imprisonment for a term not exceeding ten years or to both." Section 33 of the Act is also very interesting to note. It provides -"Any person who, being a parent or a guardian or a person for the time being having the care of a child, leaves that child -(a) without making reasonable provision for the supervision and care of the child; (b) for a period which is unreasonable having regard to all the circumstances; or (c) under conditions which are unreasonable having regard to all the circumstances, commits an offence and shall on conviction be liable to a fine not exceeding five thousand ringgit or to imprisonment for a term not exceeding two years or to both.
The question is, does leaving the child unsupervised or without adequate supervision in the online world (for example, leaving the child surfing the Internet unsupervised), also an offence?
It is submitted, as such, that the Act only protects children against abuse and neglect as provided in the Act without extending the protection to the online world, what more with regards to the privacy of children and in particular, their online informational privacy. Moreover, it is also clear that one of the functions in the establishment of the "Co-ordinating Council for the Protection of Children" under the Act is to develop programmes to educate the public on the prevention of child abuse and neglect; however it does not include protection of the privacy of children.

Sexual Offences against Children Act 2017 and the Penal Code
The Sexual Offences against Children Act 2017 (SOACA 2017), as the title of the Act states, is an act which provides certain sexual offences against children and its punishment. The protection provided for children under this Act includes protection against child pornography (SOACA 2017, Part II), child grooming (SOACA 2017, Part III), sexual assault (SOACA 2017, Part IV,) and abetment of any offence under the Act (SOACA 2017, section 21).
Since its inception, it was reported that 14 cases were solved under the Act while another 48 cases remains to be heard. The first person to be charged under the Act was found guilty under section 14(d) of the Act. The accused, Mohd Nazrin Rabuan, 21, received six months imprisonment after he pleaded guilty to physical contact and embracing a 15-year-old student illicitly at a hotel in Bandar Puteri Puchong between 3 a.m. and 5 a.m. on July 20. The charge under Section 14(d) of the Sexual Offences against Children Act 2017 carries a jail term not exceeding 20 years, and is liable to whipping on conviction (Shurentheran, 2017).
In regards to the Penal Code, it is an Act relating to criminal offences applicable throughout Malaysia and protects every person either adult or children. However, there are a few provisions that specifically protect children against criminal acts. For instance, offence of sale etc. of obscene objects to young person (section 293), kidnapping a minor from lawful guardianship (section 361), preventing a child being born alive or to cause it to die after birth (section 315), infanticide (section 309A), exposure and abandonment of a child under twelve years by parent or person having care of it (section 317), statutory rape (section 375(g) and inciting a child to an act of gross indecency (section 377E).
As such, these two Acts clearly provide protection for children but only in regards to sexual offences or other criminal offences, but not against invasion of privacy or in cases of breach of personal data.

Communications and Multimedia Act 1998
The Communications and Multimedia Act 1998 is enacted to govern the communications and multimedia industries in Malaysia. It is not an Act to protect the children directly. However, the Act has all-encompassing provisions in protecting the Internet and online users from improper use of network facilities or network service. Section 233 of the Act provides for offences of making, creating, soliciting or initiating the transmission of communication which is obscene, indecent, false, menacing or offensive in character with intent to annoy, abuse, threaten or harass another person (section 233(1)(a)). It is also an offence to initiate a communication using any applications service, whether continuously, repeatedly or otherwise, during which communication may or may not ensue, with or without disclosing his identity and with intent to annoy, abuse, threaten or harass any person at any number or electronic address (section 233(1)(b)). Another offence under the same provision are offences of knowingly providing any obscene communication for commercial purposes to any person(s); or permits a network service or applications service under the person's control to be used for any proscribed activity (section 233(2)(a) & (b)).
Under the provision, it is an offence if any person makes, creates or solicits and initiates the transmission of any comment or other communication which is obscene, indecent, false, menacing or offensive. This actus reus must be coupled with the mens rea that is, with the intention to annoy, abuse, threaten or harass another person. One question remains an issue in Malaysia, what is considered as 'obscene' or 'indecent'? What is obscene or indecent has never been clearly defined in Malaysia. This was admitted by the Chief Justice of Malaysia, Eusoff Chin who said "as to what act constitutes indecency or gross indecency, the legislature itself has seen it fit not to give it a definition, but has left it entirely to the court to determine." It is not possible to define what an "indecent or grossly indecent act" is (Sukma Darmawan Sasmitaat Madja v Ketua Pengarah Penjara Malaysia & Anor, 1999 The test of obscenity is this, whether the tendency of the matter charged as obscenity is to deprave and corrupt those whose minds are open to such immoral influences and into whose hands a publication of this sort may fall..." The way in which the test is to be applied by a trial court is best explained by Lord Cooper where he said -"...it seems to me to be not only intelligible but inevitable that the character of the offending books or pictures should be ascertained by the only method by which such a fact can be ascertained, viz. by reading the books or looking at the pictures. The book or picture itself provides the best evidence of its own indecency or obscenity or of the absence of such qualities" (Galletly v Laird, 1953).
The test laid down by Mohamed Ibrahim (1962) has been the position in Malaysia since then. For example, the judge said that in order to determine whether the seized video compact disk (VCD) was obscene, "the screening of each and every one of the 18 VCDs is necessary to determine whether they were obscene films" (PP v. Chung Wan Li, 2005).
The said provision of the 1998 Act is also used to prosecute computer content crimes such as pornography, sexually explicit remarks or obscene materials. It includes sending obscene short message system (SMS) over the mobile phone (Suruhanjaya Komunikasi dan Multimedia, 2007), posting an obscene blog title (Bernama, 2009)  Hence, it is argued that this Act does not directly provide online privacy protection for children, and also, does not protect children against online informational privacy or online personal data protection.

Online Privacy for Children in the United States -Brief Comparison
In the United States, the Federal Trade Commission in 1998 opined that the protection of online privacy for children to be inadequate. The FTC then recommended the enactment of Children's Online Privacy Protection Act to the Congress. In response to the recommendation Congress enacted on October 21, 1998, the Children's Online Privacy Protection Act of 1998 or COPPA (Hetcher, 2000). The introduction of COPPA expanded the FTC's enforcement powers in cyberspace. COPPA makes it unlawful for any operator of a web site directed to children to collect, use or disclose information without verifiable parental consent (Zavaletta, 2000). COPPA aims to "enhance parental involvement in children's online activities in order to protect the privacy of children in the online environment; to help protect the safety of children in online fora such as chatrooms, home pages, and pen-pal services in which children may make public postings of identifying information; to maintain the security of personally identifiable information of children collected online; and to limit the collection of personal information from children without parental consent" (Hetcher, 2000;Matecki, 2010).
The main mode of online protection for children under the COPPA is "parental consent". Parental consent is mandatory before websites can collect information from children under the age of thirteen. Failure to comply or satisfy parental consent, will lead to civil penalties to the websites. For instance, in the case of Xanga.com, the interactive social networking website failed to implement parental consent effectively, and was fined USD1 million for that failure.
In the case, data of over 7 million children were involved. Xanga also failed to give notification to the parents about the collection of information practices and also failed to give the parents access and control with regards to the data of their children that were collected by Xanga.com. Despite the requirement of parental consent under COPPA prior to the collection of children's personally identifiable information, the ability of children to circumvent or bypass parental consent procedures, frustrate the effectiveness of COPPA. While COPPA aims to empower parents to protect their children, websites have to take the initiative and be proactive in contacting parents to report that personally identifiable data of their children is collected (Bélanger et al., 2013).
When it was found that self-regulation was inadequate in protecting the online privacy of children, the United States introduced COPPA in 1998. The European Union (EU) has taken a different approach. The EU prefers self-regulatory initiatives to address online children's privacy. Even in the United States, there are proponents of self-regulation and are against the idea of legislating the online privacy of children (Miyazaki, Stanaland & Lwin, 2009). Macenaite (2016) highlights four initiatives of the EU in protecting the online privacy of children by way of self-regulation. Among the four initiatives are, "The Safer Social Networking Principles for the EU" introduced in 2009; the "Coalition to Make a Better and Safer Internet for Children"; "ICT Coalition for Children Online" in December 2011; and the "European Code of Practice for the Use of Personal Data in Direct Marketing" in 2013. Nevertheless, it has been admitted that there are significant limitations of self-regulation in the area of online child safety and privacy. The limitations are broadly formulated statements and unmeasurable commitments, limited monitoring mechanisms and inexistent sanctions. It has been suggested that the introduction of codes of conduct which is sectorspecific and institutionalised, will be better to safeguard the online safety and privacy of EU children (Macenaite, 2016).
In Malaysia, as discussed, the legislation protecting the online informational privacy of children is lacking. This is because the online protection as provided by the abovementioned Acts in Malaysia are only concerned with the protection of children against criminal acts, either online or in the physical world. Acts like the Penal Code, the Sexual Offences against Children Act 2001 and Communications and Multimedia Act 1998 protect children against child pornography, online grooming, harassment, etc. The Child Act 2001, for instance, governs mainly the protection of children in relation to physical abuse (Abas, 2012;Muda & Alwi, 2012). Even the Personal Data Protection Act 2010 does not explicitly provide for online information privacy of children. Likewise, the apex law of the land, the Federal Constitution also does not specifically provide for protection of privacy of children although the right to privacy is recognised. This is despite the fact that children are very vulnerable and do not know how to manage their informational privacy in the online world. Besides, with the explosive use of online social networks, the risk of privacy infringement against children is greater. Their personal identifiable information is easily available, accessible and open to being abused or stolen over online social networks (Zakaria, Yew, Alias, & Husain, 2011).
As such, while Malaysia already has the Child Act 2001 to protect the welfare of children, and subsequently enacted a specific act, the Sexual Offences against Children Act 2017 to govern the said matter, it is pertinent to have a specific Act like COPPA, to protect the online privacy of children which is currently absent in Malaysia. In other words, the regime of legislation that protects children in Malaysia, do not provide clear and specific protection of online informational privacy of children in Malaysia but only provides for children's protection against abuse and crimes. The suggested Act should emphasis on the protection of online informational privacy of children, taking data users and websites to task for violations, proactively getting parents' consent, and informing parents of any personal information collected from their children.