The blog post focuses on the following three standards:
- best interests of the child;
- detrimental use of children's data; and
- data minimisation.
The ICO explains that the concept of the best interests of the child comes from the United Nations Convention on the Rights of the Child (UNCRC). Put simply, the best interests of the child are whatever is best for any individual child using your service.
Organisations should consider how their use of children's data impacts on the range of rights children hold under the UNCRC. Four general parts of the UNCRC that organisations should be addressing are:
- children have the right to be safe from commercial exploitation (UNCRC Article 32): internet society services should avoid default personalised targeting of service features that generate revenue; organisations should think about how they can provide transparent information around how children's data may be monetised; personalised advertising should not be on-by-default; they should also abide by the Committee of Advertising Practice standards and avoid marketing age-inappropriate or fraudulent products;
- children have the right to be protected from abuse when they interact with others (UNCRC Article 34): on-by-default data sharing with other service users might expose children to risks of violence or abuse; organisations should therefore think ensure that privacy settings are set at high privacy by default and that children can understand how their information is shared; organisations should also ensure that children's personal data does not fall into the wrong hands;
- children have the right to have access to a wide range of information and media (UNCRC Article 17): organisations should think about whether children can find diverse, age-appropriate information as they learn and grow and how they can find it; online services should not serve personalised news and information that exposes children to information not in their best interests, e.g., disinformation or content that may be harmful to their health; and
- children have a right to play (UNCRC Article 31): this may be as simple as using data analytics to improve gameplay functions or the safe functioning of connected toys or devices; That might mean using children's personal data to improve their user experience, making it more enjoyable or easier to use; organisations should also consider a child's freedom to join or leave online groups; organisations should also provide clear privacy notices that children can understand and give them control over who they can share information with.
As for the detrimental use of data, organisations must comply with the requirements set out in the UK GDPR, but also conform with industry codes of practice, other regulatory provisions, or Government advice. Keeping up to date with the relevant industry guidance is a good starting point, the ICO says. The ICO also has guidance on the relevant provisions to consider before marketing, broadcasting, gaming and news publication for children.
The ICO will refer to other codes of practice, such as the Advertising Standards Agency's CAP code or the Office of Fair Trading's Principles for online and app-based games, or regulatory advice where relevant, to help IT assess conformance to this standard.
Organisations must, in their Data Protection Impact Assessment, consider the obligations defined in relevant provisions and the potential risks and detriment to children.
As for data minimisation, organisations must be clear about the purposes for which they collect personal data. They should collect the minimum amount of data needed for those purposes and store that data for the minimum amount of time.
Organisations need to differentiate between each individual element of their service and consider what personal data is needed to deliver each element and for how long.
Children should be given as much choice as possible over which elements of the service they wish to use and how much personal data they need to provide. Using data beyond its original function or gathering more data than is necessary to perform this function should be avoided. This is particularly important if organisations are using personal data to "improve" "enhance" or "personalise" their users' online experience beyond the provision of the core service.
The ICO's next blog post will cover transparency, parental controls and online tools. To read the blog post in full, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.