This code came into force on 2 September 2020, with a 12 month transition period. Organisations should conform by 2 September 2021.
Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
What do you mean by ‘default privacy settings’?
Privacy settings are a practical way for you to offer children a choice over how their personal data is used and protected. You can use them whenever you collect and process children’s personal data in order to ‘improve’ ‘enhance’ or ‘personalise’ their online experience beyond the provision of your core service.
They can cover how children’s personal data is used:
- in an interpersonal sense; the extent to which their personal data is made visible or accessible to other users of your online service;
- by yourself as provider of the online service; for example using personal data to suggest in-app purchases; and
- by third parties; for example to allow third parties to promote or market products.
Default privacy settings govern the use of children’s personal data if the child does not make any changes to the settings when they start using your online service.
Why are they important?
Many children will just accept whatever default settings you provide and never change their privacy settings. This means that it is of the utmost importance that the defaults you set are appropriate for children and provide them with adequate protection in how their personal data is used. For children, it is not enough to allow them to activate high privacy settings, you need to provide them by default (unless you have a compelling reason to do otherwise, taking into account the best interests of the child).
They are also important because of Article 25(2) of the GDPR which provides as follows.
“25(2) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.”
This means that, by default, you should not:
- collect any more personal data than you need to provide each individual element of your online service; or
- make your users’ personal data visible to indefinite numbers of other users of your online service.
You can also use privacy settings to support the exercise of children’s data protection rights (such as the rights to object to or restrict processing). And they can give children and parents confidence in their interactions with your online service, and help them explore the implications of allowing you to use their personal data in different ways.
Do we have to provide a privacy setting every time we use a child’s personal data?
You should provide privacy settings (set to high privacy by default) to give children control over when and how you use their personal data whenever you can.
It is not necessary however for you to provide a privacy setting for any personal data that you have to process in order to provide your core or most basic service. This is because without this essential processing there is no core service for you to offer. In this circumstance, if the child wishes to access the core service, you cannot offer them a choice over whether their personal data is processed or not.
In order to give children control over when and how their personal data is used, you should provide privacy settings for any processing that is needed to provide additional elements of service that go beyond the core service.
We will look very carefully at any claims that a privacy setting cannot be provided because the personal data is needed to provide the core service. You should follow the spirit not just ‘the letter of’ the code in this respect and should take care not to abuse the concept of a core service by applying it more widely than is warranted.
See also Annex C to this code ‘Lawful basis for processing’ which explains the need to differentiate between core and non-core elements of your service in any case, in order to identify an appropriate lawful basis for processing as required by the GDPR.
There may also be some other limited types of processing where it is not appropriate to offer a privacy setting. For example, if you need to process a child’s personal data in order to meet a legal obligation (such as a child protection requirement) or to prevent child sexual exploitation and abuse online. It is then not appropriate to offer them a choice over whether their personal data is processed for this purpose or not.
How can we make sure that we meet this standard?
Provide ‘high privacy’ default settings
If it is appropriate for you to offer a privacy setting, then your default position for each individual privacy setting should be ‘high privacy’.
This means that children’s personal data is only visible or accessible to other users of the service if the child amends their settings to allow this.
This also means that unless the setting is changed, your own use of the children’s personal data is limited to use that is essential to the provision of the service. Any optional uses of personal data, including any uses designed to personalise the service have to be individually selected and activated by the child.
Similarly any settings which allow third parties to use personal data have to be activated by the child.
The exception to this rule is if you can demonstrate that there is a compelling reason for a different default setting taking into account the best interests of the child.
Consider the need for any further intervention at the point at which any setting is changed
Making sure that privacy settings are set to high privacy by default will in itself mitigate the risks to children, as many children will never change their privacy settings from the default position.
Similarly, providing age appropriate explanations and prompts at the point at which a child attempts to change a privacy settings, as required under the transparency standard, will mitigate risk.
However you should also consider whether to put any further measures in place when a child attempts to change a setting. This depends on your assessment of the risks inherent in the processing covered by each setting and could include further age assurance measures. You should use your DPIA to help you assess risks and identify suitable mitigation.
Allow users the option to change settings permanently or just for the current use
If a user does change their settings you should generally give them the option to do so permanently or to return to the high privacy defaults when they end the current session. You should not ‘nudge’ them towards taking a lower privacy option (for more information on this see the section of this code on Nudge techniques). Slightly different considerations apply for geo-location data which makes the child’s location visible to others. This is covered in more detail in the section of this code on geolocation.
Ultimately you need to demonstrate that you have made it easy for a child to maintain or revert to high privacy settings if they wish to do so.
Retain user choices or high privacy defaults when software is updated
If you introduce a software update, (eg to update security measures or introduce new features), then you should retain any privacy settings that the user has applied. If it is not possible to do this (eg if a new aspect or feature to the product or service is introduced, or an existing feature is significantly changed so the previous privacy settings are no longer relevant) you should set the new setting to high privacy by default.
Allow for different user choices on multi-user devices
If you provide an online service that allows multiple users to access the service from one device, then whenever possible you should allow users to set up their own profiles with their own individual privacy settings. This means that children do not have to share an adult’s privacy settings when they share the same device. Profiles could be accessed via screen-based options or using voice recognition technology for voice activated online services.
You should include clear information for the person who sets up or registers the device alerting them to the potential for the personal data of multiple users to be collected.
Are privacy settings a consent mechanism?
For consent to be valid under the GDPR it needs to meet the following definition:
GDPR Article 4(11)
"‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subjects wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"
If your settings are off by default and the user has to activate the processing by changing the default setting, then you may be able to use privacy settings as part of your mechanism for obtaining consent to your processing under the GDPR. However, you also need to meet the requirements of Article 7 of the GDPR (conditions for consent) and the age verification and parental responsibility verification requirements of Article 8 (these only allow children of 13 or over to provide their own consent), so they won’t be enough on their own.
Privacy settings aren’t just relevant to consent. You may also use them to give children choice over how their personal data is used if you rely on other lawful bases for processing (such as legitimate interests) which don’t have any formal consent requirements.
For more information about lawful bases for processing, including consent, please see the supplementary guidance in Annex C. You may also wish to talk to your DPO if you have one.