The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

How can we make sure that we meet the ‘best interest of the child’ standard?

You need to think about what’s appropriate and in the best interest for children visiting or using your service. How can you make sure that you are not using their data in a way that isn’t in their best interests?

You should consider how, in your use of personal data, you can:

  • keep them safe from exploitation risks, including the risks of commercial or sexual exploitation and sexual abuse;
  • protect and support their health and wellbeing;
  • protect and support their physical, psychological and emotional development;
  • protect and support their need to develop their own views and identity;
  • protect and support their right to freedom of association and play;
  • support the needs of children with disabilities in line with your obligations under the relevant equality legislation for England, Scotland, Wales and Northern Ireland;
  • recognise the role of parents in protecting and promoting the best interests of the child and support them in this task; and
  • recognise the evolving capacity of the child to form their own view, and give due weight to that view.

In order to implement this standard, you need to consider the needs of child users and work out how you can best support those needs in the design of your online service, when you process their personal data. In doing this you should consider the age of the user.

How will my company know how old our users are, to meet the ‘age appropriate application’ standard?

How far you need to go in establishing age depends on what you are doing with children’s data and what the impact might be.

The code allow services the flexibility to adopt an approach to age assurance that works for their context. Options that are available include:

  • Self-declaration.
  • Artificial intelligence.
  • Third-party age verification services.
  • Account holder confirmation.
  • Technical measures.
  • Hard identifiers.

The level of certainty you require depends on the risks associated with your data processing, but generally speaking the higher the risks the greater your confidence needs to be.

Don’t forget, another option is to apply the standards in the code to all your users, regardless of age.

Does the standard on ‘detrimental use of data’ mean the ICO is now going to police what content is recommended to young users of social media platforms?

No. Personal data often drives the content that children see and the ICO is responsible for regulating the use of personal data.

If you are using children’s personal data to automatically recommend content to them based on their past usage or browsing history, then you have a responsibility for the recommendations you make.

Data protection law doesn’t make you responsible for third-party content, but it does make you responsible for the content you serve to children who use your service, based on your use of their personal data. This use of personal data is what the ICO regulates.

Organisations can’t use personal data in ways that are detrimental to children or that go against industry codes of practice. So, you need to keep up to date with relevant advice and recommendations on children’s welfare in the digital context. Relevant advice and codes are likely to include marketing, broadcasting and gaming regulations.

What do we need to do to meet the ‘privacy by default’ standard?

Your default position for each individual should be privacy-enhancing or ‘high privacy’. This means that children’s personal data is only visible or accessible to other users of the service if the child amends their settings to allow this.

This also means that, unless they change the setting, your own use of the children’s personal data is limited to what’s essential for you to provide the core service.

If a user does change their settings, you should generally give them the option to do so permanently or to return to the high privacy defaults when they end the current session. You should not ‘nudge’ them towards taking a lower privacy option.

My app relies on geolocation to provide its service. Will the code require me to turn it off?

No. If you have to process any geolocation data in order to provide your core service, you don’t need a privacy setting for this.

You should offer children control over whether and how their personal data is used, whenever you can.

However, any geolocation services that go over and above your core service should be subject to a privacy setting. For example, enhanced mapping services that make recommendations for places to visit based on location would need a privacy setting.