Children and the UK GDPR

About this guidance

Who is this guidance for?

This guidance forms part of our children’s information guidance and resources page. It provides detailed, practical guidance for organisations that handle children’s personal information under the UK GDPR by focusing on additional, child-specific considerations.

If you haven’t yet read the brief guidance, read that first. It introduces this topic and sets out the key points you need to know.

Read our other UK GDPR guidance and resources for more information on the requirements that apply to both adults and children.

If you provide an information society service (ISS) likely to be accessed by children, also see our Age appropriate design code of practice (the children’s code) for detailed guidance on how to protect children’s information effectively in this context. We explain this term further in the next section under What is an ISS?.

This guidance doesn’t cover the use of children’s personal information for law enforcement or intelligence services purposes. See our Guide to law enforcement processing and Guide to intelligence services processing for more detail on the requirements that apply in these contexts.

How is this guidance structured?

This guidance explains the key considerations for organisations when handling children’s personal information. This includes:

• designing your processing activities and business practices with children’s best interests in mind;
• choosing an appropriate lawful basis for using a child’s personal information;
• the requirements that apply when you offer an ISS to a child, particularly when you use their personal information on the basis of consent; 
• factors to consider if you’re thinking about marketing or profiling children;
• what to include in your privacy information for children; and 
• what rights children have under the UK GDPR.

For an introduction to the key themes and provisions of the UK GDPR, see our UK GDPR guidance and resources page.

Links to other relevant guidance and sources of further information are provided throughout.

Contents

Overview and key definitions

• Who is defined as a child?
• What does ‘parental responsibility’ mean?
• What is an ISS?

What should our general approach be to handling children’s personal information?

• Why do children merit specific protection?
• What about the data protection principles?
• How do we build in data protection from the start when using children’s information?
• What are the best interests of the child?
• What if we’re unsure about whether we’re using children’s personal information or not?
• Do we need to consult with children if we plan to use their personal information?
• How do other regulatory duties affect our use of children’s personal information?

How do the lawful bases apply to children’s personal information?

• Which lawful bases can we rely on to handle children’s personal information?
• Can we rely on ‘consent’?
• Can we rely on ‘performance of a contract’?
• Can we rely on ‘legal obligation’?
• Can we rely on ‘vital interests’?
• Can we rely on ‘public task’?
• Can we rely on ‘legitimate interests’?
• Can we rely on ‘recognised legitimate interest’?
• What if we want to handle special category data?

Can we use children’s personal information for direct marketing purposes?

• Can we use children’s personal information to target them with direct marketing?
• What do we need to think about if we want to use children’s personal information for direct marketing purposes?
• What do we need to do if we plan to use children’s personal information for direct marketing purposes?

What if we want to profile children or make automated decisions about them?

• What are profiling and automated decision-making?
• What does the UK GDPR say about solely automated decision-making, profiling and children?
• Can we profile or make automated decisions about children?
• What types of decisions have a legal or similarly significant effect on children?
• What do we need to do if we plan to use children’s personal information to profile or make automated decisions about them?

Can we share children’s personal information?

• What do we need to do if we want to share children’s personal information with third parties?

What data protection rights do children have?

• How do data protection rights apply to children?
• When and how can children exercise these rights?
• How does the right to be informed apply to children?
• How does the right to erasure apply to children?