Data protection update: A focus on children

ICO blog post: Spotlight on the Children’s Code standards - best interests of the child, detrimental use of children’s data and data minimisation

On 28 June the ICO published a blog post focusing on three principles of its Children's Code, which applies to Information Society Services (ISS) likely to be accessed by children, not just services aimed at children:

• Best interests of the child – this concept comes from the United Nations Convention on the Rights of the Child (UNCRC) and the ICO highlights 4 points that ISS providers should address:

1. Children have the right to be safe from commercial exploitation – organisations should avoid default personalised targeting of service features that generate revenue, provide transparent information around how children’s data may be monetised, not turn on personalised advertising by default, abide by the Committee of Advertising Practice (CAP) standards, and avoid marketing age-inappropriate or fraudulent products.
   
   
2. Children have the right to be protected from abuse when they interact with others. Organisations should think about privacy settings and ensure that children who use their service understand how their information is shared.
   
   
3. Children have the right to have access to a wide range of information and media – organisations should think about whether and how children can find diverse, age-appropriate information. Online services should not expose children to personalised news, information or disinformation that is not in their best interests.
   
   
4. Children have a right to play - this may involve using analytics to improve gameplay functions or the safe functioning of connected toys or devices, or using children’s personal data to improve their user experience, making it more enjoyable or easier to use. Organisations should think about children's freedom to join or leave online groups and must provide clear privacy notices that children understand and give them control over who they share information with.

• Detrimental use of data – organisations must comply with all relevant codes of practice and guidance, including those specific to their industry, the Advertising Standards Agency CAP Code and the OFT (now the CMA) Principles for online and app-based games.
  
• Data minimisation – organisations must:

• be clear about the purposes for which they collect personal data;
  
• collect the minimum amount of data they need for those purposes;
  
• store that data for the minimum amount of time;
• differentiate between each individual element of their service and consider what personal data is needed to deliver each element and for how long;
• give children as much choice as possible over which elements of the service they wish to use and how much personal data they need to provide; and
• avoid using data for a function other than that for which it was collected, or gathering more data than is necessary to perform this function.

DCMS publishes business guide for protecting children on your online platform

On 29 June the Department for Digital, Culture, Media and Sport (DCMS) published a business guide for protecting children on online platforms, which contains a section on data protection and privacy. This tells businesses that they must:

• familiarise themselves with their obligations under data protection law; and
• consider whether they need to comply with the 15 standards set out in the ICO's Children's Code (including the three principles covered in the ICO blog post covered above).

These publications show that both the ICO and DCMS are prioritising the protection of children online, including their personal data. If you provide online services which are likely to be accessed by children, you must comply with the Children's Code, which can be complex, as you need to consider the requirements of different age groups. Our specialist data protection lawyers can support your business to comply with the law and the code, so please contact us for bespoke advice.

Dutch DPA imposes fine of €750,000 for privacy notice in English only

The Dutch data protection authority (DPA) has fined a company in the technology sector €750,000 for only providing its privacy notice in English, while the company's service was used by a large number of Dutch children. The DPA stated that this was a breach of the GDPR, which provides that the controller shall take appropriate measures to provide any information relating to the processing of personal data to data subjects in a concise, transparent, and intelligible and easily accessible form, using clear and plain language, in particular for information addressed specifically to a child. The fine related to a limited period of time, because the company has now rectified the position.

This decision serves as a useful reminder that organisations that provide online services, in particular services used by children, must ensure that their privacy notices are intelligible to its users.