In detail

What do we need to do if we intend to use children’s personal data for the purposes of profiling children or making automated decisions about them?

If you intend to use the children’s personal data for the purposes of profiling children or making automated decisions about them then you must do a DPIA to establish whether your processing will result in a high risk to their rights and freedoms. This is because these are circumstances which the ICO considers are likely to result in such a risk. For further guidance please see our detailed guidance on Data Protection Impact Assessments.

What does the GDPR say about solely automated decision making, profiling, and children?

Article 22 of the GDPR makes no specific reference to children which means that the same basic rules apply to them as to adults. These are considered in detail in our detailed guidance on automated decision making and profiling.    

You should not make decisions based solely on the automated processing of their personal data (including profiling) where those decisions have a legal or similarly significant effect upon them, unless one of the following exceptions apply. The decision:

  • is necessary for the performance of a contract between data subject and controller, and the controller has put in place suitable measures to safeguard the data subjects rights, freedoms and legitimate interests;
  • is authorised by Union or member state law which includes suitable measures to safeguard the data subject rights, freedoms and legitimate interests;
  • is based on the data subjects explicit consent, and the controller has put in place suitable measures to safeguard the data subjects rights, freedoms and legitimate interests.

If you are required to put suitable measures in place to safeguard the rights of data subjects, then these must include at least:

  • the right to obtain human intervention on the part of the controller; and
  • the right for the data subject to express his or her point of view and to contest the decision.

If the decision involves the processing of special categories of personal data then the exceptions that can be relied upon to justify the processing are more limited, and the processing can only take place if:  

  • The decision is based on the data subject’s explicit consent and suitable measures to safeguard the data subjects rights, freedoms and legitimate interests are in place; or
  • The processing is necessary for reasons of substantial public interest, on the basis of Union or member state law, and suitable measures to safeguard the data subjects rights, freedoms and legitimate interests are in place.

 

However, Recital 71 says that “such measure” (solely automated decision-making, including profiling, with legal or similarly significant effects)“should not concern a child”.  Although this wording is not reflected in the Articles of the GDPR itself, and so cannot be taken to represent an absolute prohibition on this type of processing in relation to children, it does give a clear indication that such processing of children’s personal data should not be the norm.

The need for particular protection for children in this context is also reflected in Recital 38, which says:

“Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.”

Article 21 also gives data subjects, including children, an absolute right to object to profiling that is related to direct marketing.                        

What is profiling?

Profiling is defined in Article 4(4) of the GDPR as follows:

“ ‘profiling’ means any form of automated processing of personal data consisting of the use of person data to evaluate certain aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour location or movements;”

Not all decisions based solely on automated processing qualify as profiling, and not all profiling qualify as a solely automated decision for the purposes of Article 22, although there can be some overlap.                             

For further discussion of this please see our detailed guidance on automated decision and profiling.

Can a child be subject to profiling?

The rules in Article 22 of the GDPR relate to solely automated decisions (which can include profiling) rather than to the process of profiling in itself. This means that profiling that isn’t used to make decisions about particular individuals, or profiling that feeds into a wider decision making process with a human element, isn’t covered by the Article 22 rules. Neither are solely automated decisions (including profiling) which don’t have a legal or similarly significant effect on the data subject.

If Article 22 doesn’t apply then, as long as you make sure that you give specific protection to the child in accordance with Recital 38, the GDPR does not prevent you from profiling children. However, you still need to meet all the other requirements of the GDPR, such as processing fairly, having a lawful basis for processing and providing a privacy notice which the child can understand. You should be clear about what you are doing and why and not exploit any lack of understanding or vulnerability on the part of the child.

If Article 22 does apply, then you are not prohibited from profiling children but you should pay careful attention to Recital 71 and to the Article 29 Data Protection Working Party Guidelines on Automated Individual decision-making and Profiling for the purposes of Regulation 2016/679 which says that ‘where possible controllers should not rely upon the exceptions in 22(2) to justify [solely automated decision making about children, with legal or similarly significant effect]’

If you do rely upon one of the exceptions in Article 22 to justify such processing you need to demonstrate that there are suitable measures in place to properly protect the interests of the children whose personal data you are processing. In accordance with Article 22(2) if you are responsible for implementing these measures (rather than them being laid down by Union or member state law) they must include at least giving children the right to obtain human intervention, and the right to give their own view and contest a decision. Depending on the circumstances you may need to do more than this. In any case you need to make the processes by which children exercise their Article 22(2) rights child friendly and easy for them to access, use and understand. And again, you still need to comply with all the other requirements of the GDPR.

You also need to tell the child that you intend to use their personal data to make automated decisions about them and explain to them, in language they can understand, the logic involved in the decision making and the significance and envisaged consequences of the processing. This is a requirement under both Articles 13 and 14 of the GDPR

If you are considering profiling children for marketing purposes then you should take into account the following comments from the Article 29 Data Protection Working Party Guidelines on Automated Individual decision-making and Profiling for the purposes of Regulation 2016/679 that ‘Because children represent a more vulnerable group of society, organisations should, in general, refrain from profiling them for marketing purposes. Children can be particularly susceptible in the online environment and more easily influenced by behavioural advertising. For example, in online gaming, profiling can be used to target players that the algorithm considers are more likely to spend money on the game as well as providing more personalised adverts. The age and maturity of the child may affect their ability to understand the motivation behind this type of marketing or the consequences. Given these comments, you are expected to justify your processing, evidencing what safeguards you have put in place and demonstrating that it appropriate to use children’s personal data in this way.

You should also note that the child’s right to object to your processing their personal data for the purposes of direct marketing extends to any profiling that is related to that direct marketing. So if the child (or someone acting on their behalf) asks you to stop profiling for this purpose, then you must do so.

What does ‘produce legal effects’ and ‘or similarly significantly affects’ mean?                 

This is discussed in more detail in our detailed guidance on automated decision making and profiling

A legal effect on a child is something that has an impact on their fundamental legal rights and freedoms, or affects their legal status in some way.

A decision which ‘similarly significantly affects’ a child therefore needs to have an impact on them that is equal or equivalent to affecting their fundamental legal rights and freedoms or legal status.

Decisions based upon solely automated processing of personal data are sometime used with the aim of influencing a data subject’s future choices and behaviours. For example, in the context of behavioural advertising, a profile of past browsing habits may be used to automatically display certain products to particular individuals, with the aim of influencing them to buy those products. This can be a particular issue where children are concerned because they may be more easily influenced, and less able to understand the motivation behind such processing. An EU study on the impact of marketing through social media, online games and mobile applications on children’s behaviour found that marketing practices have clear and sometimes subliminal impacts on children’s behaviour.

Whilst not every choice a child makes in response to such processing has a ‘similarly significant’ effect on them, some may. For example, solely automated processing of a child’s personal data that influences a child to make poor food choices, to the detriment of their physical health, could be said to affect them in a way that is ‘similarly significant’ to a legal effect.

If you wish to make decisions based upon the solely automated processing of children’s personal data, with the intention of influencing their choices or behaviour, you therefore need to consider what impact those choices or behaviours may have upon the child, and decide whether this amounts to a similarly significant effect. If it does reach this bar then Article 22 will apply and, in line with Recital 71 and the opinion of the Article 29 Data Protection Working Party, we would advise you to think very carefully before you proceed with the processing, and if you do go ahead, then make sure it can be justified under one of the exceptions.

Wider evidence may help you in assessing the impact of your processing. For example CAP (Committee of advertising practice) has rules banning the advertising of high fat, salt or sugar (HFSS) food or drink products in children’s media, because of its likely effect on children’s health. The rules, which apply to media targeted at under-16s, came into effect on 1 July 2017. The ban applies in traditional and online children’s media, from magazines and cinema to social media and advergames.

In general, if advertising standards prohibit or limit the marketing of certain types of products to children, this should give you a good indication that influencing a child’s choices in this area could potentially have a similarly significant effect on them. And even if the ‘similarly significant effect’ bar is not met, you should remember that the Article 29 Data Protection Working Party recommends that you should avoid profiling children for the purposes of marketing. So if you decide to do so you need to be able to justify your decision and demonstrate that you have protected the children whose personal data you are processing adequately.