"As you grow older, you will discover that you have two hands, one for helping yourself, the other for helping others". Audrey Hepburn
Collecting, storing and using children’s personal data carries certain high risks and requires special attention. Children may be less aware of the risks, and organisations have a responsibility to take children’s vulnerability into account in the way they communicate with them about what they do with their data and how they can empower their rights.
Children’s data is a regulatory priority for the Information Commissioner’s Office (ICO). They are obliged under the GDPR when promoting public awareness and understanding of risks, rules, safeguards and rights in the relation to the processing of personal data to give “specific attention” to activities addressed to children.
The ICO makes clear that it is unlikely that the commercial interests of an organisation will outweigh a child’s right to privacy. This means where they see harm or potential harm to children the ICO will likely take more severe action against a company than would be the case for other types of personal data.
Best interests of the child
Children are identified as vulnerable individuals and deserving special protection under the General Data Protection Regulation (GDPR). In the same vein, children have the same rights as adults over their personal data as well as special rights in respect of their fundamental human rights.
Article 3 of United Nations Convention on the Rights of the Child (UNCRC) sets out the concept of best interests of the child which the ICO points to when considering compliance and making decisions about the processing of children’s personal data. The ICO says “considering the best interests of the child should form part of your compliance with the lawfulness, fairness and transparency principle".
The best interests of the child provide an important framework that helps organisations to understand the needs of children and the rights from the outset when designing and developing your processing activities and where any conflicts arise.
What does the GDPR say about children?
Although the GDPR maintains many of the rights that children have over their personal data which was previously under the UK’s Data Protection Act 1998. The legislation revolutionised data protection and privacy laws brought by the development of the modern digital economy. GDPR’s aim is to give back the individual the control of their personal data and requires organisations to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights.
- Recital 38 makes clear that “Children merit specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child".
What are the rules about an information Society Service (ISS) and consent?
The importance of protecting children in the digital economy introduces new requirements for the online processing of a child’s personal data. The major provision in relation to children is Article 8, which means that where an ISS is offered directly to a child, and you rely on consent as your basis for processing, in the UK children from the age of 13 or over are able to give their own consent. For children under this age (unless the ISS is an online preventive or counselling service), consent needs to be provided by the holder of parental responsibility over the child.
This means that if you make your ISS available to children, and you wish to legitimise your processing, you need to verify the source of consent, both the age of child consenting and whether the holder of parental responsibility has given consent where required.
You also required to make reasonable efforts (using available technology) to verify that any person giving consent on behalf of a child does, in fact, hold parental responsibility.
What about using children’s data for marketing, profiling or other automated decision-making?
The ICO also clarifies that any marketing to children under the GDPR must be fair and not exploit the vulnerability of children. Children have the right to object to marketing including profiling and these must be clearly explained in a way that is accessible to a child. The ICO also notes that it may be inappropriate to collect and use profiles of children for marketing purposes.
Additionally, it is important to comply with sector specific guidance such as the direct marketing requirements of the Privacy and Electronics Communications Regulations (PECR) 2003, codes issued by the Advertising Standards Authority (ASA) and, the ICO’s guidance on Children and the GDPR and Age Appropriate Design Code - currently awaiting parliamentary approval (also known as the Children’s Code).
Children’s capacity to understand the implications of their decisions
Children have specific needs in respect of processing their data compared to an adult’s personal data, and this is down to the gap in the level of understanding between the two data subjects. Assessing the level of competence will depend on the child’s age and development, the nature and complexity of the personal data, and the potential consequences of them exercising these rights.
There are some questions that you will have to make:
- If you wish to rely on consent as your legal basis for processing children’s data, you need to consider the competence of the child and whether they have the capacity to understand the collection and processing of their personal data? If they do, then they can provide consent
- If the child is not competent then their consent cannot be informed and will be invalid.
- Another factor in gaining informed consent is presenting information in a way that a child will understand taking into account different levels of understanding among different age groups.
- If you get consent from someone with parental responsibility you need to ensure that the child knows they can withdraw that consent once they reach the point at which they do have a suitable understanding. (NB: if you are recording parental consent and child’s consent independently and the child later revokes consent, that doesn’t change the parent’s consent. It’s additional and overrides but the parental consent is the parent’s data, not the child – this is relevant in circumstances where there is a subject access request).
- If your processing is necessary for the performance of a contract, then you need to prove a child has capacity to enter into a contract. This would also mean ensuring that the contract is actually lawful as well under contract law.
It is your responsibility as the data controller to ensure that these issues are addressed, and that adequate protection is given.
Privacy notices addressed to children must be child-friendly and age appropriate
Children have the right to be informed about what you do with their personal data as you would give to adults. In order for processing to be fair, transparency is essential to ensuring individual control and choice over their personal data by, for example, providing and withdrawing consent and actioning their individual rights.
Article 12 of the GDPR specifically references children and requires information to be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.
- Recital 58 expands: “Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.”
As one of the reasons why children require specific protection is that they may be less aware of the risks of the processing. Children should be made aware of risks involved in the processing, and any safeguards you have in place, in a child friendly way, so that children (and their parents) understand the implications of sharing their personal data.
If you are relying on parental consent for ensuring consent is informed, it is the holder of parental responsibility who needs to understand what they are consenting to. In practice this means that you need to give both the holder of parental responsibility and the child clear and accessible privacy information.
How do we identify and mitigate risks in processing children’s data?
The GDPR says “You must do a DPIA before you begin any type of processing that is likely to result in a high risk to the rights and freedom of individuals” (Article 35).
If you plan to use children’s personal data for marketing purposes, profiling or automated decision-making, or intend to offer online services directly to children you must do a Data Protection Impact Assessment (DPIA).
If during your DPIA you identify a high risk that you cannot mitigate, you must consult the ICO. You may still be allowed to proceed with the processing but may need to “transfer” the risk to insurance or take other steps as advised by the ICO.
It important to recognise that not all processing of personal data relating to children raises the same levels of risk. However, you may not know if the type of processing is likely to result in a high risk to children’s rights and freedom until you have completed your DPIA.
Keep children safe and protected!
Children are regarded vulnerable to the processing of their personal data since they may be less able to understand how their data is being used, anticipate how this might affect them, and protect themselves against any unwanted consequences.
Processing children’s data require extra protection and organisations should adapt their processing to take account the different levels of comprehension and age, and tailor their needs so that they can have the same control and choice over their personal data as adults have. This means designing and developing child friendly systems and interfaces and ensuring that all your communications with children are easy to understand.
Steps should be taken to evaluate the risk to ensure the adequate protection and safeguards are in place. This includes considering other rules and codes on children that is likely to affect the type of processing that may present risks to the child.
In essence, considering the best interest of the child should be at the heart in complying with transparency and accountability under the GDPR, but all of the data protection principles need to be considered in the context of children’s data.