In detail
What information should we give to children?
You must provide children with the same information about what you do with their personal data as you would give to adults. In order for processing to be fair, there is the same need for transparency, as this gives an individual control and choice.
A full list of the information you must provide, which varies depending upon whether the personal data has been provided by the individual themselves or a third party, is given in our Guide to the UK GDPR.
As one of the reasons why children require specific protection is that they may be less aware of the risks of the processing, it is also good practice, to explain the risks involved in the processing, and any safeguards you have put in place. This will help children (and their parents) understand the implications of sharing their data with you and others, so they can take informed and appropriates actions to protect themselves.
You should make your privacy notice clear and accessible and aim to educate the child about the need to protect their personal data.
How should we provide privacy information?
You should write in a concise, clear and plain style for any information you are directing to children in a privacy notice.
It should be child-appropriate and, as far as possible addressed directly to the relevant age group. If your target audience covers a wide age range then you could consider providing different versions of your notice for different ages. If you choose to only have one version then you need to make sure it is accessible to all and can be understood by your youngest age range.
You should present your privacy notice in a way that is appealing to a young audience. You should consider using diagrams, cartoons, graphics and videos that will attract and interest them. In an online context, you should consider the use of dashboards, layers, just-in-time notices, icons and symbols.
What if we are relying upon parental consent?
If you are relying upon parental consent then, in terms of ensuring that the consent is informed, it is the holder of parental responsibility rather than the child who needs to understand what they are consenting to. Providing them with clear privacy information should meet this requirement.
However, as has been made clear in the Transparency Guidelines issued by the Article 29 Working Party, children do not lose their rights as data subjects to transparency just because consent has been given by a holder of parental responsibility.
In practice this means that you need to give both the holder of parental responsibility and the child clear and accessible privacy information. Again you could achieve this by developing different versions for these different audiences, or by producing a child friendly version that can also be understood by parents.
This gives the consenting parent the information they need, and also help to inform and educate young children for the future and enable them to exercise their rights on their own behalf in line with their evolving capacity to do so. You could also produce something designed to be used by children and parents together to provide parents with a tool to help with the digital education of the child.
What if the child is pre-literate?
Article 29 recognises that very young or pre-literate children are, in most cases, unlikely to understand even the most basic written or non-written messages concerning transparency. In this circumstance it is obviously appropriate to provide privacy information that can be understood by the parent. However, this does not mean that the requirement to provide child friendly privacy information does not apply. The Commissioner expects controllers whose services are used by very young children to develop privacy information that can be accessed by children as and when they develop the necessary level of understanding, or in conjunction with their parents. You should ensure that this is periodically brought to the child’s attention throughout your ongoing processing relationship with them (for example when providing regular reminders about privacy settings).