Control measure: The privacy risks for children are considered before any profiling activities.
Risk: Without an appropriate assessment to determine the necessity of profiling children's information, there is a risk that the profiling is not lawful and will impact their rights and freedoms. This may breach recital 38 and article 22 of the UK GDPR.
Ways to meet our expectations:
- Assess whether profiling is essential to provide children with the service.
- Assess the impact to children's rights and freedoms of the profiling activities that are essential for you to provide your core service.
- Apply privacy settings that are 'on by default’ for all non-essential profiling.
Options to consider:
- Complete a DPIA to assess the risks of each profiling activity.
Useful links
ICO Age appropriate design code: 12. Profiling | ICO
ICO Children and the UK GDPR guidance: What if we want to profile children or make automated decisions about them? | ICO
ICO Children and the UK GDPR guidance: What if we want to target children with marketing? | ICO
ICO Age appropriate design code Tools for completing a data protection impact assessment (DPIA) | ICO
Control measure: Age-appropriate information is provided at the point any profiling options are turned on to inform children what will happen to their personal information and highlight any risks inherent in that processing.
Risk: Without appropriate privacy information that informs children about all types of profiling activities taking place, there is a risk of 'invisible' profiling that may have a detrimental effect on the child and reputational damage to the provider. This may breach articles 5(1)(f) and 12 to 22 of the UK GDPR.
Ways to meet our expectations:
- Give age appropriate and timely information about the processing at the point that profiling takes place.
- Assess whether you need any additional age assurance measures, (eg depending on the age range of the child, at the point at which profiling is enabled).
- Apply separate privacy settings for each different type of profiling. Do not bundle different types of profiling together under one privacy setting.
- Apply a separate privacy setting for any behavioural advertising, except if this is your core service.
- Provide age-appropriate prompts to children to seek assistance from an adult and not to activate the profiling, if they are uncertain or don’t understand.
Options to consider:
- Provide focused or bite-sized privacy information relevant to each profiling activity.
- Provide information or explanations using graphics or visual content to support accessibility.
- Allow children to actively select their preferences, instead of profiling them.
Control measure: Profiling is only undertaken when there are appropriate measures in place to protect the child from any harmful effects (in particular, when being fed online content or behavioural advertising that is detrimental to their health or wellbeing).
Risk: Without adequate protections in place, there is a risk that profiling activities could cause harmful effects on children, such as further content suggestions or behavioural advertising. This may breach UNCRC article 16 and article 5 (1) (a), recital 38 of the UK GDPR.
Ways to meet our expectations:
- Implement measures such as contextual tagging, robust user reporting procedures, and elements of human moderation to your service.
- Continuously review new content streams or services, and the materials being suggested or provided, to ensure they remain age appropriate.
- Apply editorial controls over the content being displayed when profiling is done about what further online content to suggest to children.
- Operate a valid consent ‘opt in’ (for children under 13, from the parent or holder of parental responsibility) for any profiling you do for behavioural advertising that is not part of the core service that the child wishes to access.
- Ensure that if you collect a child's personal information for one purpose, you do not use it for another, following profiling activities.
Options to consider:
- Make sure you adhere to codes of conduct or other regulatory provisions (eg The Editors’ Code of Practice or the Ofcom Broadcasting Code).
- Make sure you adhere to the UK Code of Non-broadcast Advertising and Direct and Promotional Marketing (CAP code) when you target advertising through using personal information.
Useful links
ICO Children and the UK GDPR guidance: What are the rules about an ISS and consent? | ICO
ICO Children and the UK GDPR guidance: What if we want to target children with marketing? | ICO
Ofcom Broadcasting Code: The Ofcom Broadcasting Code (with the Cross-promotion Code and the On Demand Programme Service Rules) - Ofcom
The Editors’ Code of Practice: Editors' Code of Practice (ipso.co.uk)
UK Code of Non-broadcast Advertising and Direct and Promotional Marketing (CAP code): Non-broadcast Code - ASA | CAP
Control measure: Where cookies are used for the purposes of profiling children, PECR rules are considered for the cookie setting. The profiling activities that the cookie supports or enables comply with the UK GDPR and the code.
Risk: Without consideration of the necessity, proportionality, fairness and lawfulness of the use of cookies within the service, this may breach PECR, UK GDPR and the code.
Ways to meet our expectations:
- Consider whether the cookie is for essential or non-essential processing. Apply an appropriate privacy setting, if the cookie isn’t essential to provide the service that the child wants to access.
- Keep evidenced consent for the cookie, as well as a UK GDPR lawful basis for processing (in practice this may also be consent).
- Evidence that the cookies you use for age estimation or age assurance are essential for your service. If you use the cookie solely for this purpose, then the child does not need to consent to the cookie.
- Provide transparency information if you use non-essential cookies to track user interaction.
Options to consider:
- Refresh consent for non-essential cookies, particularly as children become older and more able to understand the risks.
- Provide focused or bite-sized privacy information relevant to each cookie.
- Provide information or explanations using graphics or visual content to support accessibility.
Useful links
ICO PECR guidance: What are PECR? | ICO
ICO guidance on the use of cookies: Guidance on the use of cookies and similar technologies | ICO