The ICO exists to empower you through information.

The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent, and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.

What do you mean by ‘transparency’?

Transparency is about being clear, open and honest with your users about what they can expect when they access your online service.

Why is it important?

Transparency is key to the requirement under Article 5(1) of the GDPR to process personal data:

“lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)”

The GDPR also contains more specific provisions about the information that you must give to data subjects when you process their personal data. These are set out at Article 13 (when you have obtained the personal data directly from the data subject) and Article 14 (when you have not obtained the personal data directly from the data subject).

Article 12 of the GDPR requires you to provide children with this information in a way in which they can access and understand it:

“The controller shall take appropriate measures to provide any information referred to in Article 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form,  using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject the information may be provided orally, provided that the identity of the data subject is proven by other means.”

On a wider level transparency is also intrinsic to the fairness element of Article 5(1). If you aren’t clear, open and honest about the service that you provide and the rules that govern that service, then your original collection and ongoing use of the child’s personal data is unlikely to be fair.

How can we make sure that we meet this standard?

Provide clear privacy information

Firstly you need to provide the privacy information set out in Articles 13 and 14 in a clear and prominent place on your online service. You should make this information easy to find and accessible for children and parents who seek out privacy information.

However, it is not sufficient to rely on children or their parents seeking out this privacy information.

Provide ‘bite-sized’ explanations at the point at which use of personal data is activated

In order to provide children with the specific protection envisaged by Recital 38 you should also provide clear information about what you do with children’s personal data in more specific, ‘bite-size’ explanations, at the point at which the use of the personal data is activated. This is sometimes referred to as a ‘just in time notice’. Depending on the age of the child and the risks inherent in the processing, you should also prompt them to speak to an adult before they activate any new use of their data, and not to proceed if they are uncertain.

just in time notice

You should also consider if there are any other points in your user journey when it might be appropriate to provide bite-sized explanations to aid the child’s understanding of how their personal data is being used.

Provide clear terms, policies and community standards

All other information you provide for users about your service should also be clear and accessible. This includes terms and conditions, policies and community standards.

In every case you should provide information that is accurate and does not promise protections or standards that are not routinely upheld.

This should help children or their parents make properly informed decisions about whether to provide the information required to access or sign up to your service in the first place, and to continue to use it.

If you believe that you need to draft your terms and conditions in a certain way in order to make them legally robust, then you can provide child-friendly explanations to sit alongside the legal drafting.

Present information in a child friendly way

You should present all this information in a way that is likely to appeal to the age of the child who is accessing your online service.

This may include using diagrams, cartoons, graphics, video and audio content, and gamified or interactive content that will attract and interest children, rather than relying solely on written communications.

You may use tools such as privacy dashboards, layered information, icons and symbols to aid children’s understanding and to present the information in a child-friendly way. You should consider the modality of your service, and take into account user interaction patterns that do not take place in screen-based environments, as appropriate.

Dashboards should be displayed in a way that clearly identifies and differentiates between processing that is essential to the provision of your service and non-essential or optional processing that the child can choose whether to activate.

Tailor your information to the age of the child

You need to consider how you can tailor the content and presentation of the information you provide depending on the age of the user.

There may be some scenarios in which providing one, simplified, accessible to all, set of information may work. For example, if you are an online retailer which only collects the personal data needed to complete online transactions and deliver goods.

However, in many cases a-one-size-fits-all approach does not recognise that children have different needs at different stages of their development. For example, a pre-literate or primary school child might need to be actively deterred from changing privacy settings without parental input, whereas a teenager might be better supported by clear and neutral information which helps them make their own informed decision.

For more information about the developmental needs of children at different ages please see Annex B to this code.

For younger children, with more limited levels of understanding, you may need to provide less detailed information for the child themselves and rely more on parental involvement and understanding. However you should never use simplification with the aim of hiding what you are doing with the child’s personal data and you should consider providing detailed information for parents, to sit alongside your child directed information.

You should make all versions of resources (including versions for parents) easily accessible and incorporate mechanisms to allow children or parents to choose which version they see, or to down-scale or up-scale the information depending on their individual level of understanding.

down or up scale icons

The following table provides some recommendations. However, they are only a starting point and you are free to develop your own service specific information and user journeys which take account of the risks inherent in your service.

Depending on the size of your organisation, your number of users, and your assessment of risk you may decide to carry out user testing to make sure that the information you provide is sufficiently clear and accessible for the age range in question. You should document the results of any user testing in your DPIA to support your final conclusions and justify the presentation and content of your final resources. If you decide that user testing isn’t warranted, then you should document the reasons why in your DPIA.

You should also consider any additional responsibilities you may have under the applicable equality legislation for England, Scotland, Wales and Northern Ireland. 

Age range Recommendations
0-5
Pre-literate & early literacy

Provide full privacy information as required by Articles 13 & 14 of the GDPR in a format suitable for parents.

Provide audio or video prompts telling children to leave things as they are or get help from a parent or trusted adult if they try and change any high privacy default settings.

6-9
Core primary school years 

Provide full privacy information as required by Articles 13 & 14 of the GDPR in a format suitable for parents.

Provide cartoon, video or audio materials to sit alongside parental resources. Explain the basic concepts of online privacy within your service, the privacy settings you offer, who can see what, their information rights, how to be in control of their own information, and respecting other people’s privacy. Explain the basics of your service and how it works, what they can expect from you and what you expect from them.

Provide resources for parents to use with their children to explain privacy concepts and risks within your service. Provide resources for parents to use with their children to explain the basics of your service and how it works, what they can expect from you and what you expect from them.

If a child attempts to change a default high privacy setting provide cartoon, video or audio materials to explain what will happen to their information and any associated risks. Tell them to leave things as they are or get help from a parent or trusted adult before they change the setting.

10-12
Transition years

Provide full privacy information as required by Articles 13 & 14 of the GDPR in a format suitable for parents.

Provide full privacy information as required by Articles 13 & 14 of the GDPR in a format suitable for children within this age group. Allow children to choose between written and video/audio options. Give children the choice to upscale or downscale the information they see (to materials developed for an older or younger age group) depending on their individual needs.

If a child attempts to change a default high privacy setting provide written, cartoon, video or audio materials to explain what will happen to their information and any associated risks. Tell them to leave things as they are or get help from a parent or trusted adult before they change the setting.

13 -15
Early teens 

Provide full privacy information as required by Articles 13 & 14 of the GDPR in a format suitable for this age group. Allow them to choose between written and video/audio options. Give them the choice to upscale or downscale the information they see (to materials developed for an older or younger age group) depending on their individual needs.

If a child attempts to change a default high privacy setting provide written, video or audio materials to explain what will happen to their information and any associated risks. Prompt them to ask for help from a parent or trusted adult and not change the setting if they have any concerns or don’t understand what you have told them.

Provide full information in a format suitable for parents to sit alongside the child focused information.

16-17
Approaching adulthood

Provide full information in a format suitable for this age group. Allow them to choose between written and video/audio options. Give them the choice to upscale or downscale the information they see (to materials developed for an older or younger age group) depending on their individual needs.

If a child in this age group attempts to change a default high privacy setting provide written, video or audio materials to explain what will happen to their information and any associated risks. Prompt them to check with an adult or other source of trusted information and not change the setting if they have any concerns or don’t understand what you have told them.

Provide full information in a format suitable for parents to sit alongside the child focused information.