It’s Safer Internet Day – a day to promote internet safety for children and young people around the world. According to a 2020 survey conducted by the Office of National Statistics, almost 90% of children between the ages of 10 and 15 said they went online every day, with more than 75% spending three or more hours online a day at the weekend. The experience of the COVID-19 pandemic is likely to have heightened this trend, with children forced to rely on remote communications for both education and socialising. Given the prevalence of children’s online activity, it’s important to ensure that the risks posed by their internet usage do not outweigh the benefits.
One aspect of internet safety is protecting children’s privacy online. The UK GDPR specifically states that children (ie under-18s) require ‘specific protection’ under data protection law because they may be less aware of the risks and implications of allowing others to process their personal data. This means that if your business processes children’s personal data (online or otherwise), you are under enhanced legal obligations. We take a look below at some of the steps your business should be taking to protect children’s personal data.
Protecting children’s personal data
In addition to your usual data protection obligations, which apply whenever your business is processing an individual’s personal data, if you will be processing children’s personal data, you must take the following steps:
- Carefully consider what lawful basis you’re relying on for your processing and whether it remains appropriate in the context of processing children’s data specifically. See When to use personal data for guidance about the lawful bases for data processing.
- If you will be relying on consent as your lawful basis when offering online services to children under 13, bear in mind that they cannot give consent themselves; you must get consent from a parent or guardian before you collect or use any of their personal data (see Consent to use personal data for further guidance).
- Provide privacy information to children in a clear, easily accessible and age appropriate way (even if you’re relying on parental consent to process their personal data). In particular, children have the same rights as adults over their personal data, and you should ensure that it is easy for them to understand what those rights are and how they can exercise them. See Privacy information for further guidance about how to set out your privacy information.
- Don’t share children’s personal data unless you have a compelling reason to do so (eg for safeguarding purposes) and make sure you carry out a data protection impact assessment (DPIA) before doing so.
- Consider carrying out a DPIA if you will be regularly processing children’s personal data, to help you to assess and mitigate the risks associated with this. Bear in mind that you must carry out a DPIA if your processing is likely to result in a high risk to the rights and freedoms of children (eg because you will be using their personal data for marketing purposes or automated decision-making). Equally, the ICO has indicated that, in practice, a DPIA will always be required if the Age Appropriate Design Code applies to your online service (see more below). See Data protection impact assessments for guidance about when and how to conduct a DPIA and Data protection impact assessment policy for a template policy setting out when and how your business will conduct a DPIA.
- If it’s reasonable for you to do so, consider consulting with children about the way in which their data is processed. This can help you to design your service in a child friendly and child safe way.
Generally speaking, you should be thinking about how to protect children’s privacy from the outset, ensuring that it is at the forefront of your mind when you design and develop your systems and processes, and then throughout the lifecycle of your business. This is called ‘data protection by design and default’.
What about the Age Appropriate Design Code?
Do you operate an online service for remuneration which is directed at, or likely to be used by, children? This includes most online services, including websites selling goods or services, games, connected toys and devices, apps etc that are likely to be used by children. If this is your business, you should comply with the ICO’s Age Appropriate Design Code.
The Code contains 15 flexible standards which set out what measures these types of online services need to put in place to ensure that children’s personal data is safeguarded. These include:
- Ensuring that the best interests of the child are a primary consideration when designing and developing your website or online service;
- Carrying out a DPIA to check to what extent your website or app complies with the standards set out in the Code and to identify what further action you need to take; and
- In most cases, ensuring privacy settings are set by default to ‘high’ and that geolocation options and other optional uses of personal data are switched off.
This may require you to make changes to the way in which your website or app is designed and/or to the way in which you process personal data.
To find out more about the Age Appropriate Design Code and what steps you need to take to comply, see our Q&A on Privacy and children.
Before joining Sparqa Legal as a Senior Legal Editor in 2017, Frankie spent five years training and practising as a corporate disputes and investigations lawyer at leading international law firm Hogan Lovells. As legal insights lead, Frankie regularly contributes to Sparqa Legal’s blog, writing content across employment law, data protection, disputes and more.