Step 1: Identify the need for a DPIA
Explain broadly the nature of your online service, and the current stage of design or development. You may find it helpful to refer or link to other documents. Summarise when and how you identified the need for a DPIA.
Guidance: Standard 2 of the Children’s code requires Information Society Services* to undertake a DPIA if they are processing children’s data. Therefore, it may be useful to reference the Children’s code requirement in step 1. See Standard 2 of the Children’s code - DPIAs:
“Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, which arise from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code.”
Similarly, as this DPIA focuses on a connected toy, it would be useful to reference in this section how you will conform with Standard 14 of the code - Connected toys and tablets:
“If you provide a connected toy or tablet, ensure you include effective tools to enable conformance to this code”.
*An Information Society Service is defined as “any services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” You can see the Services covered by this code for more information on whether you may be in scope of the Children’s code.
We are launching a connected tablet aimed at children between the ages of four and 12. This is a new version of an established tablet originally launched in 2018 with updated app features. Over 500,000 copies of the original tablet have been sold in markets in the USA, Europe and Middle East (including the UK), and Asia.
It is an educational product which enables children to learn how to operate a tablet and develop skills such as cognitive development, problem solving, creative play, basic maths, reading comprehension, hand eye coordination and language development. It allows children to take and store photos and videos, browse the internet, listen to music and watch shows.
The tablet uses the Google Android OS 10 operating system.
In conjunction with the tablet, we offer our own secure app store to which tablet users can connect and download age-appropriate apps, games, e-books and other products from a server operated by The Toy Company. These products are in age appropriate bands of four to five, six to nine, and 10-12 years old. Children are given a username by their parents at tablet set-up. They connect to the app store through their tablet using a tab, and are only able to see the products appropriate to their age bracket (with ages input by parents through the parental control screens). Children select the items that they want. If the item is free, they can download the app immediately to the tablet. If the app has a fee, their request triggers an email to their parents, who either confirm or reject the purchase. In the event of rejection, the children are shown an age-appropriate message advising them that the download has been rejected and to discuss their download request with their parents.
Parents are required to accept terms and conditions for the app store before it can be used by their children, and create an account for themselves and their children to use. Parents need to provide first name, last name, email address, username and password to create an account. They are able to associate a separate username and password to each child that they want to access the app store through the tablet.
Helpful hint: attach copies of all relevant privacy notices and terms and conditions documents for your tablet and any core applications that may have separate policies or terms to the core devise.
Use of the app store is restricted to The Toy Company products only.
Our website does not feature content aimed at children above the age of 12.
Access to Google Play store is turned off-by-default. Access may be enabled through the parental control screen. When parents set up the system they have the option of changing these settings permanently or enabling on a case-by-case basis.
Guidance: The Children’s code offers guidance to ISS on how to offer age appropriate online services to children. See Standard 3 of the AADC – Age appropriate application for further information:
“Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.”
You might also find it helpful to review Annex B of the AADC - Age and developmental stages.
Key features of the tablet include:
- a touchable interactive screen, microphone, camera with funny filters, MP3 player, web browser, calendar, clock and alarm;
- a series of built-in age-appropriate apps for gaming and learning, video recording, playback and editing;
- the ability to add apps, e-books, videos and music from our own website or the Google App Store. (Where a fee is charged for content, only parents may purchase apps etc. Purchases are made through the parental control dashboard);
- the ability to take and store photographs using a proprietary app with the photo stored on the tablet only. (Access to cloud based storage is turned off-by-default. Parents may turn on when they set up the system for their child);
- the ability to create and store artwork using a proprietary app with the work stored on the tablet only; and
- the ability to browse the web.
Helpful hint: Provide further details on each pre-installed app that provides core functionality for the tablet (ie is used by default) within the DPIA. Include details for each app in each section of the DPIA below.
The toy is sold through online and in-shop retailers. We do not sell or deliver the tablets directly to customers. Although, we do sell downloadable content (eg apps, videos and music) for the tablet through our app store website. Apps may also be purchased through Google App Store if parents enable this feature through the product set-up stage.
We collect and process children’s personal data through in-house platform analytics and technical monitoring of children’s use of the toy. The tablet collects the game-play data from the children. We use this to provide the appropriate game level and challenges for children of different ages, and to guide the development of new features and services. We anonymise the data we collect for research and development purposes before use, and we analyse it to identify improvements to the apps and tablet. We do not share this data beyond the company.
Our tablet and apps support different age ranges: four to five, six to nine and 10 to 12. There are different settings available to different age groups if the tablet has multiple users. Games, music, and videos that feature a seven plus PEGI rating are only available to the 10 to 12 age groups.
When the tablet is launched, it asks parents to enter the date of birth for their children. Subsequent tablet launches asks children to log into their profile to ensure that the correct content is available for each individual child. In this way, each user of the tablet can only access their own content and data.
Users can access content from multiple curriculums and levels appropriate for the various age ranges. As the child plays one of our apps, the age range selection and details of the content and curriculum previously accessed are sent to our server. The server can then guide the child to the correct level based on previous progress. We do not retain or analyse data on external apps downloaded to the tablet.
We have identified the need for a DPIA because we will be collecting and processing children’s personal data through platform analytics and technical monitoring of children’s use of the toy. This processing is included in the list published by the UK Information Commissioner’s Office under Article 35(4) of the GDPR.
Helpful hint: You can see the ICO’s guidance on what activities are considered likely to result in a high risk and need a DPIA. You should also review the Children’s code harms framework. The framework is a flexible tool for identifying data-related risks to children that you need to consider when completing your DPIA. Its aim is to support online services to place children’s best interests at the heart of their services.