The ICO exists to empower you through information.

Control measure: There are measures in place to ensure children’s information is not used to promote or market any services to them in a way that is obviously detrimental to their physical or mental health and wellbeing.

Risk: There is a risk that if services are promoted using information driven methods, a child's mental or physical wellbeing will be affected and there will be a breach of data protection law. This may breach articles 5 (1)(a-b), 6, 13 of the UK GDPR.

Ways to meet our expectations:

  • Limit the use of children’s personal information to what is essential for you to provide the main service.
  • Keep aware of relevant standards and industry codes of practice about children, including government advice on child welfare for digital or online services.
  • Review and check that there will be no detrimental effect on a child from any promotion of additional services (as a result of behavioural analytics or profiling of personal information).
  • Ensure that the child has to individually select and activate any optional uses of personal information that are designed to promote or market additional services.
  • Control when and where you encourage children to buy advertised products or persuade their parents or other adults to buy advertised products for them.
  • Ensure transparency for paid-for content and product placement.
  • Restrict user activation of any settings which allow third parties to use personal information, unless there is a compelling reason, taking into account the best interests of the child. 

Options to consider:

  • Implement rules that govern or prohibit the marketing of certain products to children, such as high fat, salt and sugar food and drinks and alcohol. 

 

Control measure: Where information is used to promote or personalise content feeds, the content is not obviously detrimental to the child or in breach of other regulatory restrictions or advice (eg Online Safety Act 2023 and advertising rules).

Risk:. Without appropriate checks and balances, there is a risk that content will be promoted or personalised which has the potential to have a detrimental effect and cause harm to children, risking breaching other regulatory restrictions.

Ways to meet our expectations:

  • Review and check that there will be no detrimental effect on a child from any promotion of additional content (as a result of behavioural analytics or profiling of personal information).
  • Complete checks before releasing personalised content to children to confirm that there will be no detrimental effects as a result of the personalisation.
  • Conduct further analysis to determine whether the content will have a detrimental effect on certain user profiles or personal characteristics.
  • Tailor the checks to take into account the various age groups of children and the differing effects the content may have, depending on the age of the child.
  • Ensure that the child has to individually select and activate any optional uses of personal information that are designed to personalise the service.
  • Present children with an easy way to report any unwanted, harmful or detrimental content.

Options to consider:

  • Assess the risk of children younger than the minimum age accessing personalised or promoted content.
  • Monitor third-party product placement, promotions, or advertising, particularly on community servers.

Useful links

ICO Age appropriate design code: 5. Detrimental use of data | ICO

ICO Age appropriate design code: 3. Age appropriate application | ICO

ICO Age appropriate design code: Annex B: Age and developmental stages | ICO

Ofcom Online safety: Online safety - Ofcom

ICO Content moderation guidance: Content moderation and data protection | ICO

 

Control measure: Strategies used to extend user engagement or encourage people to continue playing a game, watching video content or otherwise staying online, are not detrimental to a child's mental or physical wellbeing.

Risk: There is a risk that if continued use is incentivised using information driven methods, a child's mental or physical wellbeing will be affected. This may breach articles 5 (1)(a-b), 6, 13 of the UK GDPR.

Ways to meet our expectations:

  • Where your service is likely to be used by children (even if not designed for them), use caution to try to restrict children accessing any addictive elements or remove access altogether. 
  • Design features to take into account the needs of children and in a way that makes it easy for them to disengage, without feeling pressurised or disadvantaged if they do so.
  • Do not use personal information to incentivise continued use of the service.
  • Introduce mechanisms into the service, such as pause buttons, that allow children to take a break at any time without losing their progress in a game.
  • Provide age appropriate content to support conscious choices about taking breaks (eg considering the advice of the Chief Medical Officer’s to parents around children’s behaviour and time spent online).

Options to consider:

  • Implement prompts or informative messages supporting children to take breaks from extended or frequent engagement.
  • Review your online services regularly to remove addictive capabilities and discourage excessive engagement that may have arisen since you launched the service.
  • Monitor the online activity of children and support children who engage excessively.
  • Restrict push notifications that might encourage children to engage in an unhealthy way, such as overnight.
  • Avoid applying penalties to children that disconnect during online sessions.