The ICO exists to empower you through information.

Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).

What do you mean by ‘upholding your own standards’?

We mean that you need to adhere to your own published terms and conditions and policies.

We also mean that, when you set community rules and conditions of use for users of your service, you need to actively uphold or enforce those rules and conditions.

Why is this important?

Article 5(1) of the GDPR says that personal data shall be:

“processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)”

When children provide you with their personal data in order to join or access your service they should be able to expect the service to operate in the way that you say it will, and for you to do what you say you are going to do. If this doesn’t happen then your collection of their personal data may be unfair and in breach of Article 5(1)(a).

Keeping to your own standards should also benefit you by giving children and their parents confidence that they can trust your online service with their personal data.

How can we make sure that we meet this standard?

To some extent this depends on the content of your published terms and conditions, policies and community standards.

However you should follow the overarching principle that you say what you do and do what you say. You should at least ensure that you do the following:

Only use personal data in accordance with your privacy policy

Article 5(1)(b) of the GDPR sets out the ‘purpose limitation’ principle, that personal data shall be:

“collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes...”

Articles 13 and 14 of the GDPR require you to tell data subjects what these purposes are. You do this by providing privacy information, which you may include in a privacy notice, policy or statement.

Article 5(1)(a) of the GDPR requires you to process personal data fairly and transparently.

The combined result of these provisions is that you need to use your privacy information to tell users what you will do with their personal data and why, and then make sure that you follow this through in practice.

Uphold any user behaviour policies

If you have any published rules which govern the behaviour of users of your service then you need to uphold these rules and put in place the systems that you have said you will. So if you say that you actively monitor user behaviour, or offer real time, automated, or human moderation of ‘chat’ functions, then you need to do so.

If you only rely on ‘back end’ processes, such as user reporting, to identify behaviour which breaches your policies then you need to have made that very clear in your policies or community standards. This approach also needs to be reasonable given the risks to children of different ages inherent in your service. If the risks are high then ‘light touch’ or ‘back end only’ processes to uphold your standards are unlikely to be sufficient.

If you do not have adequate systems to properly uphold your own user behaviour policies then your original collection and continued use of a child’s personal data may be unfair and in breach of the GDPR.

Uphold any content or other policies

If you make commitments to users about the content or other aspects of your online service then you need to have systems to ensure that you meet those commitments.

So if you say that the content of your online service is suitable for children within a certain age range then you need to have systems to ensure that it is. If you say that you do not tolerate bullying, then you need to have adequate mechanisms to swiftly and effectively deal with bullying incidents.

Again, if your systems aren’t adequate or you don’t keep to your promises then your original collection and continued use of the child’s personal data may be unfair and in breach of the GDPR.

If you have different policies depending on the age of your users then you need to take account of the age of the child when upholding your policies.