This code came into force on 2 September 2020, with a 12 month transition period. Organisations should conform by 2 September 2021.
Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or Government advice.
What do you mean by ‘the detrimental use of data’?
We mean any use of data that is obviously detrimental to children’s physical or mental health and wellbeing or that goes against industry codes of practice, other regulatory provisions or Government advice on the welfare of children.
Why is this important?
Article 5(1)(a) of the GDPR says that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject, and Recital 38 that children merit specific protection with regard to the use of their personal data.
Recital 2 to the GDPR states (emphasis added):
“The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to … the well-being of natural persons.”
Recital 75 to the GDPR says that:
“The risk to the rights and freedoms of natural persons, or varying likelihood and severity may result from personal data processing which could lead to physical, material or non-material damage, in particular:….where personal data of vulnerable natural persons, in particular children, are processed….”
This means that you should not process children’s personal data in ways that are obviously, or have been shown to be, detrimental to their health or wellbeing. To do so would not be fair.
How can we make sure that we meet this standard?
Keep up date with relevant recommendations and advice
As a provider of an online service likely to be accessed by children you should be aware of relevant standards and codes of practice within your industry or sector, and any provisions within them that relate to children. You should also keep up to date with Government advice on the welfare of children in the context of digital or online services. The ICO does not regulate content and is not an expert on matters of children’s health and wellbeing. We will however refer to other codes of practice or regulatory advice where relevant to help us assess your conformance to this standard.
Do not process children’s personal data in ways that are obviously detrimental or run counter to such advice
You should not process children’s personal data in ways that run contrary to those standards, codes or advice and should take account of any age specific advice to tailor your online service to the age of the child. You should take particular care when profiling children, including making inferences based on their personal data, or processing geo-location data.
You should apply a pre-cautionary approach where this has been formally recommended despite evidence being under debate. This means you should not process children’s personal data in ways that have been formally identified as requiring further research or evidence to establish whether or not they are detrimental to the health and wellbeing of children.
What codes or advice are likely to be relevant?
Some specific areas where there is relevant guidance, and that are likely to arise in the context of providing your online service are given below.
However, this is not an exhaustive list and you need to identify and consider anything that is relevant to your specific data processing scenario in your DPIA.
Marketing and behavioural advertising
The Committee of Advertising Practice (CAP) publishes guidance about online behavioural advertising which, in addition to providing rules applicable to all advertising, specifically covers advertising to children.
It includes rules which address:
- physical, mental or moral harm to children;
- exploiting children’s credulity and applying unfair pressure;
- direct exhortation of children and undermining parental authority; and
It also has rules which govern or prohibit the marketing of certain products, such as high fat, salt and sugar food and drinks and alcohol, to children, and general guidance on transparency of paid-for content and product placement.
Ofcom has published a code practice for broadcasters which covers the protection of under-18s in the following areas:
- the coverage of sexual and other offences in the UK involving under-18s;
- drugs, smoking, solvents and alcohol;
- violence and dangerous behaviour;
- offensive language;
- sexual material;
- exorcism, the occult and the paranormal; and
- the involvement of people under 18 in programmes.
The Independent Press Standards Organisation (Ipso) has published The Editors’ Code of Practice which includes provisions about reporting and children.
The Office for Fair Trading (OFT) has published principles for online and app-based games which includes provisions about:
- exploiting children’s inexperience, vulnerability and credulity, including by aggressive commercial practices; and
- including direct exhortations to children to buy advertised products or persuade their parents or other adults to buy advertised products for them.
Strategies used to extend user engagement
Strategies used to extend user engagement, sometimes referred to as ‘sticky’ features can include mechanisms such as reward loops, continuous scrolling, notifications and auto-play features which encourage users to continue playing a game, watching video content or otherwise staying online.
Although there is currently no formal Government position on the effect of these mechanisms on the health and wellbeing of children, the UK Chief Medical Officers have issued a ‘commentary on screen-based activities on children and young people’. This identifies a need for further research and in the meantime recommends that technology companies ‘recognise a precautionary approach in developing structures and remove addictive capabilities.’
Does this mean we can’t use features such as rewards, notifications and ‘likes’ within our service?
No, not all such features rely on the use of personal data and you may have designed your feature taking into account the needs of children and in a way that makes it easy for them to disengage without feeling pressurised or disadvantaged if they do so. However, it does mean that you need to carefully consider the impact on children if you use their personal data to support such features. You should consider both intended and unintended consequences of the data use as part of your DPIA.
Given the precautionary advice from the Chief Medical Officers, designing in data-driven features which make it difficult for children to disengage with your service is likely to breach the Article 5(1)(a) fairness principle of the GDPR. For example, features which use personal data to exploit human susceptibility to reward, anticipatory and pleasure seeking behaviours, or peer pressure.
- avoid using personal data in a way that incentivises children to stay engaged, such as offering children personalised in-game advantages (based upon your use of the individual user’s personal data) in return for extended play;
- present options to continue playing or otherwise engaging with your service neutrally without suggesting that children will lose out if they don’t;
- avoid features which use personal data to automatically extend use instead of requiring children to make an active choice about whether they want to spend their time in this way (data-driven autoplay features); and
- introduce mechanisms such as pause buttons which allow children to take a break at any time without losing their progress in a game, or provide age appropriate content to support conscious choices about taking breaks, such as that provided in the Chief Medical Officers’ advice.
Further reading outside the code