The ICO exists to empower you through information.

Default privacy settings

Share Download options

Pages

Format

Control measure: For services accessed, or likely to be accessed, by children, each processing activity is reviewed to determine whether it might pose a risk to children and then the default privacy setting is set to high privacy.

Risk: If the default privacy settings are not set to 'high', then this can indicate that appropriate steps are not being taken to protect children's information and wellbeing. Also, there is a risk of unauthorised or inappropriate access to children's information, or breaches in privacy. This may breach article 5 (1) (f) (a) and 25 of the UK GDPR.

Ways to meet our expectations:

  • Set the default setting to 'high privacy' for direct and core processing of children’s information, unless there is a compelling reason for a different default setting, taking into account the best interests of the child.
  • Document the decision-making process if you determine that some core processing for children does not require a high privacy setting (eg for safeguarding reasons).
  • Ensure children’s personal information is not visible or accessible to other people who use the service or third parties.

Options to consider:

  • Implement prompts or information messages that inform children of the risks when disabling or lowering high privacy default settings.
  • Promote and raise awareness of privacy settings or pro-privacy features in your online service, such as advertising locations or on feeds.

 

Control measure: There are measures in place to ensure that any user or system generated changes to privacy settings do not compromise children’s privacy.

Risk: Without safeguards in place, if privacy settings are lowered as a result of service changes or action by the user, previous settings will be lost and privacy will be at risk. This may breach article 5 (1) (f) of the UK GDPR.

Ways to meet our expectations:

  • If children do change their settings, ensure that they return to the high privacy defaults when they end the current session.  
  • Provide children with age-appropriate explanations and prompts at the point they attempt to change any privacy settings.
  • If settings are changed, ensure that age-appropriate content and ads are still served.
  • Implement measures to retain any privacy settings that children have applied following a software update, an update to security measures or an introduction of new features.
  • Allow children to set up their own profiles with their own individual privacy settings if your online service allows multiple people to access the service from one device.
  • Ensure children can access and check profiles easily. 

Options to consider:

  • Use screen-based options or voice recognition technology for voice activated online services so children (and parents or guardians, where appropriate) can easily check privacy settings.