What data protection obligations do businesses have?
The GDPR and DPA place various obligations on anyone who processes personal data. These include, but are not limited to:
only using personal data in a fair, lawful and transparent way
retaining data for no longer than necessary
How should children’s personal data be handled?
The GDPR sets out that children’s personal data is subject to specific protection. This is because children ‘may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data’. This specific protection is particularly important when using children’s data:
when creating user profiles
when offering services directly to children
As a result, anyone who processes children’s personal data must take special care when doing so.
What does this mean in practice?
In practice, this means that extra care needs to be taken when children’s personal data is involved in any of an organisation’s activities.
To ensure that specific protection is awarded to children’s personal data, businesses should bear this in mind when first designing their data processing activities, products and systems. This is particularly true for businesses that regularly or systematically process children’s personal data.
When processing children’s personal data, a good starting point is creating a Data protection and impact assessment (DPIA). DPIAs not only help businesses ensure children’s data is adequately protected, but also help them assess and mitigate data protection risks posed to any children as a result of the business’ activities. Note that DPIAs are necessary in certain circumstances.
All businesses require a legal basis for processing personal data. However, when processing children’s personal data, special requirements may apply. For example, businesses seeking to process children’s personal data on the basis of consent should only do so if they are truly able to give children (or someone with parental responsibility for them, eg a parent) an informed choice and control over how they will use their personal data. Businesses must also take into account the competence of children (ie whether they have the capacity to understand the implications of the processing of their personal data). For more detailed information on how the lawful bases apply to children, see the Information Commissioner’s Office’s (ICO’s) guidance.
The Age Appropriate Design Code
Since 1 September 2021, all online businesses in the UK that are likely to be accessed by children have been required to comply with the ICO’s Age Appropriate Design Code (also known as the ‘Children’s Code’). Businesses (especially developers and publishers) must be aware of their obligations to reform their policies to comply with this Code.
Products and services aimed at children do face enhanced security requirements, particularly those imposed by the ICO, because children are more vulnerable to risks online. Age appropriate design standards that aim to protect children’s data include not just technical tools, but design principles too.
What is the Children’s Code?
The Children’s Code is being introduced in response to increasing demand for better safeguarding of children’s privacy online. The Children’s Code sets 15 flexible standards to protect children when they are exploring, learning and playing online. These high privacy standards protect children by ensuring that the best interests of the child are at the forefront when designing and developing services online.
Who does the Children’s Code apply to?
The Children’s Code applies to all businesses or Information Society Service (ISS) providers that process personal data and are likely to be accessed by children in the UK. This means that the Children’s Code also applies to non-UK businesses that process the personal data of children in the UK.
An ISS is any service normally provided for remuneration at a distance (ie when the customer and provider are not simultaneously present in the same place at any stage) by electronic means. In practice, ISSs can include: apps, programs, websites, social media platforms, content streaming services, educational websites, EdTech companies, games or community environments, and connected toys or devices with or without screens.
What are the 15 standards of the Children’s Code?
The 15 standards in the Children’s Code explain ways that a business or ISS should conform with the GDPR, but specifically relate to children. Some of the key standards include:
Best interests of the child
This is the primary and most important standard that coders, UX designers and system engineers should consider when designing and developing online services for children. When online services are being designed, businesses must consider how, in their use of children’s personal data, they can:
keep children safe from exploitation
protect children’s health and wellbeing
protect children’s emotional and psychological development
protect children’s right to develop their own views and identities
protect children’s right to play
support the needs of differently-abled children
recognise and implement safeguards for parental approval
Data protection impact assessments
Businesses should undertake a DPIA to assess and mitigate the rights and freedoms of children likely to access their service. Similar to conducting a health and safety risk assessment, businesses should conduct data assessments of the risks to children's data and wellbeing resulting from the business’ products and services.
Businesses should be aware of the level of risk their activities pose, if any of their products or services involve ‘innovative technologies’, as well as which of their services involve a ‘systematic’ or ‘extensive’ undertaking of data. In doing so, a business can assess whether this will lead to a significant effect on a minor’s circumstances, behaviour, privacy, or legal status.
For more information, read Data protection impact assessments.
Businesses must not disclose a child’s data unless they can demonstrate that there is a necessity to do so whilst taking into account the child’s best interests. This also applies where data is shared between different teams internally, where third-party services are used (eg for age verification), or where data is used with artificial intelligence.
A nudge technique is a design feature that encourages users to follow a particular path (eg by clicking on a particular on-screen option). Businesses should not use nudge techniques that encourage children to provide unnecessary personal data. Nudge techniques aimed at improving privacy for children are encouraged, as well as nudges that promote health and wellbeing. For example, a nudge stating that a child has been continuously online for too long is okay, whereas a nudge to share their data publicly with third parties is not.
For more information, including recommended age-based design practices, see the ICO’s guidance on using nudge techniques.
By default, settings must be ‘high privacy’ unless businesses can provide a compelling reason for a different default setting. This would include prohibiting any automatic visibility of a child’s online data or collecting additional unnecessary data that the business may desire but does not require.
Unless there is a justifiable reason, businesses should, by default, switch off geolocation services. Anytime that a platform uses a location, this should be obvious to the user, and automatic revert settings should be applied where necessary.
Policies and community standards
For a full list of the standards, read the Children’s Code on the ICO website. Further guidance and resources on the Children’s Code can also be found on the ICO’s website. Ask a lawyer if you have any specific questions or concerns about complying with the Children’s Code or if you require bespoke documents drafted.
What are the consequences of not complying with the laws on children’s data protection?
The consequences of failing to comply with data protection laws are severe. If a business that processes children’s personal data is found to be in breach of its data protection obligations (eg those in the GDPR or the Privacy and Electronic Communications Regulations (PECR), the ICO can take action against them. For serious breaches, this can include fines of up to £17.5 million or 4% of annual turnover. For more information, see the ICO’s website.
If you have any questions or concerns about your data protection obligations, do not hesitate to Ask a lawyer. Consider using our GDPR compliance service to ensure you comply with all applicable data protection laws.