ICO and DPC Guidance Regarding Children’s Data and the Services aimed at Children

Reading Time: 4 minutes
AdobeStock 396682798


Trilateral Research |

Date: 20 January 2022

Information Commissioners Office of the UK and the Data Protection Commission of Ireland recognise the special need for protecting the children and children’s data, including in the context of concerns around such data being used for various commercial purposes. Based on the principles of the GDPR, both authorities issued their guidance or set of standards and considerations when it comes to children. Therefore, as expected, ICO’s “Age appropriate design: a code of practice for online services” (“Code”) and DPC’s “Fundamentals for a child oriented approach to data processing” (“Fundamentals”) have a lot in common. Both authorities are led with the principle of the child’s best interest when formulating their guidance. In each instance, the DPA’s sought and received the input from a wide array of stakeholders, ranging from online industry to the children themselves. The following article outlines the commonalities and points of divergence between the codes to highlight were standards may be emerging and assist stakeholders in selecting between them as a point of reference.

Target audience(s)

The two documents, although similar in nature and intent, differ somewhat in their target audience. Jenny Dolan of the DPC who led on the development of the Fundamentals stated:

In terms of differences between the Fundamentals and the Code, the most obvious relates to the purpose of the two sets of guidelines. The Code has statutory underpinning and the ICO was mandated under the UK Data Protection Act to put in place a design code, so that necessarily means that one segment of its target audience will be software engineers, UX designers, coders, so that the principles of the Code will be built into the architecture of online services. So the scope is more targeted in that it focuses on the necessary privacy-by-design features that must be engineered from the outset into services used by children. On the other hand, the scope of our Fundamentals is somewhat broader in that it is not focused solely on the engineering and design of online products and services and also applies in offline contexts, which is different focus from the Age Appropriate Design code.

Main messages

The main messages of both documents are best laid out in the in 15 Standards for age appropriate design devised by the ICO and 14 Fundamentals for protection of children in processing their personal data. Most of these items carry the same messages, even when titled and formulated somewhat differently.

The GDPR principle of accountability requires organisations to firstly determine if they target or collect children’s data.  Where a data controller processes children’s data it is subject to a higher standard of protection. Both Supervisory Authorities and the wider public, as seen in the DPC’s public consultation, show special sensitivity to the children’s data and the services offered to the children. Having the correct and proactive approach towards this issue will support legislative compliance as well as contribute to a positive perception of the organisations as well.

Both documents aim to establish a minimum levels of protection and oblige the controllers to follow the principle of the child’s best interest. The bar for necessity for obtaining the data is raised higher by virtue of obligation for the controllers to set the privacy settings at the highest levels by default. For instance the geo location or data sharing should be switched off as a default. Due to the particular vulnerability and susceptibility to online advertising, the profiling features need to be turned off unless this feature is in the best interest of the child. Indeed, under the Data Protection Act 2018 Section 30, it is an offence for organisations to process personal data of a child being a person under 18 years of age, for the purposes of direct marketing, profiling or micro targeting.

Both Supervisory Authorities stress that the children should not be protected from online world, but rather protected from the dangers it brings. Therefore the controllers’ position should not be the one of exclusion but adaptation. Children need to be informed of the processing activity, their rights and risks in a way it is understandable to their age group. They should also be in position to exercise their rights as data subjectseither individually, or through their parent or a guardian.

The ages of digital consent in UK and Ireland are both below the age of 18. However, where the data subject are children, the information given to them while obtaining the consent need to be clear, transparent and understandable according to the age of the data subject. Nudge techniques to obtain the child’s consent should not be used.

ICO and DPC require all the controllers to carry out the Data Protection Impact Assessment in order to minimise the data protection risks of their services, and in particular the specific risks to children which arise from the processing of their personal data.

Finally, both Authorities require the controllers to follow the principles of data protection by design and by default. DPC’s Fundamental number 14 paints it well by suggesting to “Bake it in!”, while, as noted above, the ICO’s Code provides technical design principles to assist with this.

Neither of the Supervisory Authorities prescribe the particular ways to achieve compliance with either guidance. Instead, they leave it to the individual controllers to apply the standards and fundamentals in their particular way. This gives organisations certain flexibility, but brings challenges as well. Given the lack of precedent in the matter, organisations must ensure they posess or procure adequate expertise in order to bring their processing in line with the requirements. DPC is currently carrying two inquiries regarding the processing children’s data. The outcome of these inquiries may result in significant monetary  fines and reputational damage to the investigated organisations

Trilateral Research specialises in processing activities, including DPIA’s and data processing agreements, for children’s and vulnerable individuals data. Our existing relationships with the ICO and the DPC have provided us with a strong understanding of their expectations. Trilateral Research can work with your organisation on creating and maintaining these processes in order to keep your processing in line with legislative and standards’ requirements.

Contact us for more information.

Related posts

AI is rapidly transforming industries. Take for example the legal field, which is traditionally conservative in relation to technology. More…

Let's discuss your career