Skip to main content

Understanding the data rights of children

(Image credit: Image source: Shutterstock/Wright Studio)

Recently OFCOM released its latest research around connected kids. Ten is now the age of digital independence with more than half of this age group owning a smartphone. It was also found that more children now listen to Alexa than they do to the radio. Kids want interactivity – a media channel that answers back in real time.

For many parents with young children the results of this study will be terrifying as the stats show that digital awareness is getting younger and younger. In 2015 only 30 per cent of 10 year olds had access to a smartphone and this trend looks set to continue, with increasing numbers of nine year olds now owning a connected device. With the kids now set to be at home indefinitely following the schools closure many schools and nurseries are implementing remote learning and therefore children's awareness of all things digital will soar and get even younger.

For marketers this shift also comes with concerns, particularly for organisations that may process children’s data, perhaps without realising.

As a result it is unsurprising that the ICO has unveiled a new set of standards to protect children’s privacy online. Whilst many of these standards are specifically for digital interactions such as apps, some also cover interactions that that might not specifically be designed for, but are likely accessed by, children. It is therefore critical that organisations that could potentially process children’s data  (even if they don’t explicitly target them)  are aware of these new rules.

The key for the ICO is that children’s privacy is not compromised in the pursuit of profit.

If these standards are approved, organisations will have 12 months to update their practices before the code comes into full effect. The ICO expects this to be by autumn 2021.

  • The new standards are:

Best interests of the child: The best interests of the child should be a primary consideration in the design and development of online services likely to be accessed by a child.

Data protection impact assessments: Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children which arise from data processing. Take into account differing ages, capacities and development needs and ensure that the DPIA builds in compliance with this code.

Age appropriate application: Take a risk-based approach to recognising the age of individual users and ensure the standards in the ICO’s code are applied to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from data processing, or apply the standards in this code to all customers instead.

Transparency: The privacy information provided to customers and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.

Detrimental use of data: Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.

Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).

Default settings: Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).

Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.

Parental controls

Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.

Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). Provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.

Parental controls: If parental controls are provided, give the child age appropriate information about this. If the online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.

Profiling: Switch options which use profiling ‘off’ by default (unless it can be demonstrated that a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if there are appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).

Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.

Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable conformance to this code.

Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.

So there you have it. Everything you need to know about data management with regards to children.

Mike Fox, founder, UKChanges