In detail

What do we need to do if we intend to use children’s personal data for the purposes of marketing?

If you intend to use the children’s personal data for marketing purposes then you must do a DPIA to establish whether your processing will result in a high risk to the rights and freedoms of your data subjects. This is because targeting marketing at children is one of the circumstances which the ICO considers is likely to result in such a risk. For further guidance please see our detailed guidance on Data Protection Impact Assessments.

Can we use children’s personal data for the purposes of marketing?

The GDPR states that children’s personal data merits specific protection, which should in particular apply to the use of their data for marketing purposes or creating personality or user profiles.

Using children’s personal data for marketing purposes can include both using personal data to send marketing messages to individual children (also known as direct marketing) and using personal data to display targeted adverts in an online context (also known as behavioural advertising).

You are not necessarily prevented from using children’s personal data for marketing purposes, but you need to make sure that you meet all the requirements of the GDPR. For example, you need to ensure the processing is fair and complies with all the data protection principles. You need to have a lawful basis for processing and must explain what you are doing with their personal data in a way that they can understand. In all circumstances you need to ensure the child is specifically protected when their personal data is processed for these purposes. You should not exploit any lack of understanding or vulnerability.

Children have the same right as adults to object to the processing of their personal data for direct marketing purposes. So, if they ask you to stop processing their personal data for this purpose you need to stop doing so. You also need to tell them about their right to object, either the first time that you send them a direct marketing message, or before you send this first message. If you intend to use profiling or behavioural advertising to target children with marketing then you should also read the section of our guidance What if I want to profile children or make automated decisions about them?

If you intend to send electronic marketing messages to children then you need to comply with the Privacy and Electronic Communications Regulations 2003 and you should read our Guide to PECR. In many circumstances under PECR you need to ask for consent for direct marketing, and this means that consent is the relevant basis for processing under the GDPR as well. You should note that the Directive from which these regulations are derived is currently under review and the rules may be subject to change.

What should we consider if we want to use a child’s personal data for marketing purposes?

Recital 38 says that children merit specific protection when their personal data is used for the purposes of marketing because they may be less aware of the risks, consequences and safeguards concerned.

If a child gives you their personal data, such as an email address, or information about their hobbies or interests, then they may not realise that you will use it to market them, and they may not even understand what marketing is and how it works. This may lead to them receiving marketing that they do not want. If they are also unable to critically assess the content of the marketing then their lack of awareness of the consequences of providing their personal data may make them vulnerable in more significant ways. For example, they may be influenced to make unhealthy food choices, or to spend money on goods that they have no use for or cannot afford.

So, if you wish to use a child’s personal data for marketing you need to think about if and how you can mitigate these risks.

Advertising standards stipulate that marketing targeted directly at or featuring children should not contain anything that is likely to result in their physical, mental or moral harm. For example, adverts must not exploit their credulity, loyalty, vulnerability or lack of experience. They must not condone or encourage poor nutritional habits or an unhealthy lifestyle in children.

It is good practice to consider sector specific guidance on marketing, such as from the Advertising Standards Authority, to make sure that you do not use children’s personal data in a way that might lead to their exploitation.

Further reading

For more general information on advertising regulation visit the website of CAP (Committees of advertising practice) and ASA (Advertising standards Authority) www.asa.org.uk.

For further information on the existing ePrivacy rules, please see our Guide to PECR.

Our Direct marketing guidance should also remain useful, and will be updated to reference the new requirements of the GDPR.