Processing Children’s Personal Data: Legal Considerations
Monday 10th October 2022
Child personal data is given special protections under data protection laws. In a recent statement relating to the potential £27m fine against TikTok for allegedly mishandling child personal data, the UK’s data regulator (the ICO) said: “We all want children to be able to learn and experience the digital world, but with proper data privacy protections. Companies providing digital services have a legal duty to put those protections in place”. Regulators are clearly prioritising the protection of children online and have recently indicated they have a number of investigations ongoing in this area.
Who is classed as a ‘child’?
Anyone under the age of 18, but for ‘consent’ to be valid under GDPR, individuals must be at least 13 years old. Parental or guardian consent must be given if the child is under 13 years old. It is worth noting that services need not be ‘directed’ at children to be caught by these stringent protections. For example, TikTok is aimed at any online users but attracts a number of teenage users.
Shouldn’t parents be responsible for their children?
Safeguarding a child’s personal data does not only fall to the parents. The UN Convention on the Rights of the Child states that, in all actions concerning children, regardless of who is taking them, the best interest of the child must be a primary consideration.
What should businesses be doing to protect children’s personal data?
Businesses should:
- Use clear language in ‘bite-size’ chunks for children by:
- Telling them what they are doing with the user’s personal data;
- being open about the risks and safeguards involved; and
- letting the user know what to do if they are unhappy.
- Establish what age range individual users are likely to fall into, so businesses can tailor the safeguards accordingly.
- Configure the service’s default settings as private to protect everyone’s privacy even though businesses don’t expect children to use their services.
- Draft a Data Protection Impact Assessment (“DPIA”) to help assess and mitigate the risks to children.
- Have policies to support and demonstrate compliance with data protection legislation.
- Ensure that anyone who provides their consent is at least 13 years old and keep and update records of consent received.
- Consider providing visual or audio prompts telling children to get help from a parent if they try to change the privacy settings.
Businesses also need to be aware of the ICO’s statutory code of practice known as the ‘Children’s code’ which sets out a series of standards they expect businesses to follow when designing and building online services which may be used by children. Examples of those standards are listed above.
Consequences for non-compliance
Non-compliance with data protection obligations in relation to children’s personal data could result in serious consequences. Potential fines under the UK GDPR can be levied up to £17.5m or 4% of annual global turnover. Although data regulators haven’t routinely issued these levels of fines, a recent example of a regulator’s approach to protecting children’s personal data online is the fine levied on Instagram (owned by Meta) from the Irish authorities, which amounted to €405m [£349m]. Instagram allegedly failed to protect children’s privacy by allowing the phone numbers and email addresses of teenage users to be exposed due to its failure to ensure that its settings were designed to keep their information private.