Guidance

Child online safety: Data protection and privacy

This guide is to help you and your business understand issues around data protection and privacy. It is intended for organisations that provide online services likely to be accessed by children.

From:
Department for Science, Innovation and Technology and Department for Digital, Culture, Media & Sport
Published
29 June 2021
Last updated
27 September 2021 — See all updates

Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks it can pose. They may also be less aware of their data rights.

What you must do as a business

  1. Familiarise yourself with your general data protection obligations. Data protection law sets out what should be done to make sure everyone’s data is used properly and fairly. The Information Commissioner’s Office (ICO) has a hub for small to medium sized enterprises which provides guidance and checklists to help you comply.

  2. Consider whether you need to conform with the 15 standards of the ICO’s Age Appropriate Design Code or ‘Children’s Code’. This is a data protection code of practice and covers apps, websites, video games, social media and connected toys likely to be accessed by children. This guide sets out more information on what the Code is and what you need to do to conform. Among other standards listed in full below, the code requires that:
    - A data protection impact assessment (DPIA) must be completed. See ICO guidance for more on DPIAs. The Code also contains a template that you can use.
    - Settings must be ‘high privacy’ by default.
    - Only the minimum amount of personal data should be collected and retained.
    - Children’s data should not usually be shared unless you can demonstrate a compelling reason to do so, taking into account the best interests of the child.
    - Geolocation services and profiling should be switched off by default.

How you can go above and beyond

  • Consider taking part in an ICO Regulatory Sandbox. This is a service developed by the ICO to support organisations who are creating products and services which utilise personal data in innovative and safe ways.

Why this is important

  • Personal data sits at the heart of the digital services children use every day. One in five UK internet users are children. Following these requirements will ensure children are empowered to make the most of the benefits of going online while ensuring their data is kept safe.
  • Following the data protection requirements listed on this page will show parents and other users of your services that you take children’s privacy seriously, you can be trusted with children’s data and your services are appropriate for children to use.
  • Personal data relating to children is afforded special protection in the UK General Data Protection Regulation (GDPR) and is a regulatory priority for the ICO. The ICO supervises and supports organisations to comply with their data protection obligations. Where this does not happen, it can take regulatory action including orders to prevent data processing or fines of up to £17.5 million or up to 4% of your total annual worldwide turnover, whichever is higher, for infringements of the UK GDPR.

Summary of the 15 Age Appropriate Design Code Principles

1. Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child. You need to consider the needs of children and work out how you can best support these in the design of your service, when you process children’s personal data.

2. Data protection impact assessments (DPIA): Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, which arise from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with the Code.

3. Age appropriate application: Take a risk-based approach to understanding the age of individual users on your service. This could range from requiring users to self-declare their age, to confirming age from formal identity documents such as a passport, depending on the level of risk to children on your service. You could also choose to apply the standards of the Code to all of your users. If you rely on consent for any aspects of your online service, you need to get parental authorisation for children under 13.

4. Transparency: The privacy information you provide to children must be concise, prominent and in clear language suited to the age of the child accessing your service.

5. Detrimental use of data: You should not use children’s personal data in ways that have been shown to be harmful to their wellbeing, or go against industry codes of practice, other regulatory provisions or government advice.

6. Policies and community standards: You should uphold your own published terms, policies and community standards to make sure your use of children’s personal data is fair.

7. Default settings: Settings must be ‘high privacy’ by default for children (unless you can demonstrate a compelling reason for a different default setting, taking into account the best interests of the child).

8. Data minimisation: Only collect and retain the minimum amount of personal data you need from children.

9. Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking into account the best interests of the child.

10. Geolocation: Switch geolocation options off by default unless you can demonstrate a compelling reason to do so. You need to provide an obvious sign for children when location tracking is active.

11. Parental controls: If you provide parental controls, give the child age appropriate information about this and if you allow parents or carers to monitor a child’s online activity or location, provide the child with a sign that this is active.

12. Profiling: Switch options which use profiling ‘off’ by default for children (unless you can demonstrate a compelling reason for profiling to be on by default, taking into account the best interests of the child).

13. Nudge techniques: Do not use nudge techniques to encourage children to provide unnecessary personal data or turn off privacy protections.

14. Connected toys and devices: Ensure connected toys and devices include tools to enable conformance with the Code.

15. Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.

Getting support

The Children’s Code does not address all data protection requirements and you may still need to consider issues such as data security. The ICO, the UK’s regulator for data protection, has a range of resources available on its website which sets out further information, including:

You are also able to make enquiries directly with the ICO via:

Part of A business guide for protecting children on your online platform

Published 29 June 2021
Last updated 27 September 2021 + show all updates

  1. Updated What you must do as a business section.

  2. First published.

Contents

Related content