As many as 1 in 3 internet users are children[1] and Ofcom has reported that around a quarter of 5–7 year olds own a smart phone[2]. Children’s online activities raise significant privacy risks, which are now in the regulatory spotlight.
The UK was one of the first countries to act, launching the Children’s Code in 2020, and since then, Children’s Codes have been implemented in California and the Netherlands and proposed in Australia. Ireland has adopted the “Children’s Fundamentals”, and Singapore issued Advisory Guidelines on children’s data. In addition, the European Commission adopted a better internet for kids (BIK+) strategy.
In recent months, regulatory momentum in the UK has increased. In August, the Information Commissioner’s Office (“ICO”) warned 11 social media and video sharing platforms to make improvements in their handling of children’s data, or face enforcement action. We are also increasingly seeing active enforcement in this space, in the UK, the EU, and beyond, which has included some significant fines.
In order to support compliant processing of children’s data, most online services likely to be accessed by UK children (under 18) are expected to address the 15 standards set out in the Children’s Code. The ICO must take this into account when considering if a relevant online service has complied with its data protection obligations.
The ICO Children’s Code Strategy for 2024/25 indicates that children’s data will remain a regulatory priority, especially in respect of the following priority areas:
- Privacy and geolocation settings. Children’s location information can be misused, which may impact on wellbeing. Their profiles should be private and geolocation settings off, by default.
- Profiling for targeted advertisements. Children may not realise that their information is being used to influence what adverts they are shown. This can also result in financial harm, e.g. if they are directed to in-app purchases. Profiling of children should be switched off, unless there is a compelling reason not to.
- Recommender systems. Content feeds may run on algorithms that use information from behavioural profiling and analysis of children’s search results. This can draw children towards undesirable content. Recommender systems may also encourage children to stay longer on a platform and provide more personal data.
- Children under 13 years old. Parental consent is required to process personal data of any child under age 13 in the context of an online service.
Online service providers are advised to check their compliance in this area.
Article co-authored by Ryan Kelly, Solicitor Apprentice at CMS.
[1] https://digital-strategy.ec.europa.eu/en/policies/better-internet-kids#:~:text=Around%20one%20in%20three%20internet,games%20and%20using%20mobile%20apps.
[2] https://www.ofcom.org.uk/media-use-and-attitudes/media-habits-children/a-window-into-young-childrens-online-worlds/
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.