Skip to main content
Home

Using children’s information: a guide

Latest updates - last updated 15 May 2026

The updated guidance reflects changes under the Data (Use and Access) Act 2025 (DUAA) that are likely to have particular impacts on how organisation’s use children’s information. It also contains improved signposting to the children’s code and specific requirements for information society services likely to be accessed by children.

About this guidance

This brief guidance provides an overview of the key considerations for organisations who want to use children’s personal information. It is intended as an introduction, with links to more detailed guidance for further explanation.

For more information on using children’s personal information, see our detailed Children and UK GDPR guidance.

For broader data protection guidance, see our UK GDPR guidance and resources page.

If you’re using children’s personal information for law enforcement or intelligence services purposes, see our Guide to Law Enforcement Processing and Guide to Intelligence Services Processing which explain the specific requirements that apply in those contexts.

At a glance 

  • Children merit specific protection when you handle their personal information because they may be less aware of the risks involved.
  • If you handle children’s personal information, you must put appropriate technical and organisational measures in place. These should include designing your services with children’s needs in mind from the start.
  • If you provide an information society service (ISS) likely to be accessed by children, you must consider their needs when designing your services.
  • You must comply with the data protection principles when handling children’s personal information. You must use their information fairly and within their reasonable expectations.
  • You must have a lawful basis for processing a child’s personal information. Consent is one possible option, but others may be more appropriate and provide stronger protection for the child (eg by providing clearer safeguards). Additional rules apply if you offer an ISS directly to a child and want to rely on the consent lawful basis.
  • Children merit specific protection in particular when you use their personal information for marketing purposes or to create personality or user profiles. You should exercise caution if you plan to use children’s information for these purposes, and must implement appropriate safeguards where required under the law.
  • You should avoid making decisions about children based solely on automated processing if this will have a legal or similarly significant effect on them.
  • Children have the same data protection rights as adults over their personal information. You should consider the capacity of a child or young person to exercise their own rights.
  • You must explain to children what you will do with their personal information and what rights they have. You must do this in a way that is easy for them to access and understand, using clear and plain language.
  • You must consider a child’s right to request the erasure of their personal information.
  • If you offer an ISS likely to be accessed by children, you should conform to the children's code. If you don’t follow this code, you’re likely to find it harder to demonstrate that your use of children’s information is fair and complies with data protection law.

In brief

 

What should our general approach be to handling children’s personal information?

Children merit specific protection because they may be less aware of the risks, consequences and safeguards associated with the use of their personal information, alongside their rights. This protection is especially important when using their personal information for marketing, automated decision-making and profiling and to deliver ISS likely to be accessed by children.

You must comply with all data protection principles under the UK GDPR, with fairness playing a crucial role where children are concerned.

You must implement data protection by design and by default. This should include taking children’s needs into account from the start when designing your products and services. If you provide an ISS likely to be accessed by children, you must meet the children’s higher protection matters duty when assessing what appropriate technical and organisational measures to put in place. If you already conform to the children’s code, you are likely to comply with this duty.

The UNCRC principle of the best interests of the child should guide how you use children’s personal information. This highlights the importance of balancing their safety, privacy, wellbeing and right to be heard.

You should adopt a cautious and risk-based approach if you aren’t sure whether you’re handling children’s personal information or what age range they fall into. This may mean designing your processes, products and systems so that they offer sufficient protection for all service users (including children) and limiting your use of personal information. It may also involve implementing proportionate age-assurance measures. 

Completing a data protection impact assessment (DPIA) will help you to think about what child-friendly design features to build into your processes, products and systems. It will also help you assess and mitigate any data protection risks to children that are likely to result from your use of their information. You must do a DPIA if your use of personal information is likely to result in a high risk to the rights and freedoms of children. This includes if you use children’s personal information for marketing, profiling or other automated decision-making purposes or if you plan to offer online services directly to children.

Where appropriate and practical, you should invite children to share their views when designing your processing activities, using age‑appropriate and safe consultation methods.

Factor in any related duties you may have under other regulations, including the Online Safety Act 2023. These duties can affect how you design your services and help you identify risks to children’s information.

How do the lawful bases apply to children’s personal information?

As with adults, you must choose a lawful basis for processing before using children’s personal information. While any basis may apply, some will be more appropriate than others depending on the context.

If you want to rely on consent, you must ensure that the child can understand what they are consenting to. If they don’t understand, their consent is not ‘informed’ and therefore invalid under the UK GDPR.

If you offer an ISS directly to children and want to rely on consent, there are additional rules you must follow. Only users aged 13 and over can give their own consent. Any users under 13 require consent from a person with parental responsibility. The only exception to these rules is if the service you’re offering is a preventive or counselling service. In these cases, it may be in the child’s best interests for you to accept their consent. Alternatively you may decide that relying on a different lawful basis is appropriate. You must make reasonable efforts to verify that anyone giving consent on a child’s behalf does in fact hold parental responsibility.

If you want to rely on performance of a contract, you must consider the child’s capacity to agree to the contract and understand the implications of your use of their personal information. If you have doubts about their capacity, or your use of their information isn’t necessary for the contract, you must consider an alternative lawful basis.

If you want to rely on legal obligation, your use of children’s personal information must directly link to a legal obligation placed on you. It must also be a reasonable and proportionate way for you to achieve compliance with this obligation.

If you want to rely on vital interests, your use of children’s information must be necessary to protect someone’s life. What is necessary to protect a child may differ from an adult due to their developmental needs.

If you want to rely on public task, your use of children’s personal information must link to an underlying task, function or power you have with a clear basis in law. This usually applies to public authorities, but private organisations that exercise official authority or carry out tasks in the public interest can also use it.

If you want to rely on legitimate interests, you must balance your own (or a third party’s) legitimate interests in using the personal information against the interests and fundamental rights and freedoms of the child. This involves a judgement about the nature and purpose of your processing activities and the potential risks they pose to children. You must implement appropriate measures to mitigate those risks. This basis doesn’t apply if you want to use children’s personal information to perform your tasks as a public authority.

If you want to rely on recognised legitimate interest, you must meet one of the five Annex 1 conditions under the UK GDPR. A balancing test isn’t required, but your use of children’s personal information must be necessary for the particular recognised legitimate interest condition. You must also comply with all other legal requirements.

If you want to use children’s special category data, you must have both an article 6 lawful basis and article 9 condition for processing under the UK GDPR.

Can we use children’s personal information for direct marketing purposes?

Children merit specific protection when you use their personal information for marketing purposes.

Direct marketing can include sending marketing messages to individual children and displaying targeted adverts to them online. It also covers activities that lead up to, enable or support you in sending direct marketing (eg profiling).

The law doesn’t stop you from using children’s personal information for direct marketing purposes, but you must meet all UK GDPR requirements in doing so.

If you want to send electronic marketing messages to children, you must also comply with the Privacy and Electronic Communications Regulations 2003.

Children may not understand your use of marketing or recognise the risks of sharing their personal information with you (eg a loss of privacy or unfair influence). If you want to use a child’s personal information for direct marketing, you should think about if and how you can mitigate these risks. For example, by minimising your use of their personal information, avoiding unnecessary data sharing, keeping your adverts clearly identifiable and deleting their personal information promptly.

Following relevant standards (eg the children’s code and Advertising Standards Authority rules) can help you avoid harmful or manipulative marketing practices.

Children have the same right as adults to object to your use of their personal information for direct marketing purposes. You must stop doing this if a child (or someone acting on their behalf) asks you to do so.

What if we want to profile children or make automated decisions about them?

You should avoid using children’s personal information for automated decision-making (ADM) and profiling wherever possible. Although the law permits these activities, children still merit specific protection.

The ADM provisions under articles 22A-D of the UK GDPR apply to both children and adults. These provisions only apply where you use personal information to make solely automated significant decisions about someone. That is, they are made without meaningful human involvement and produce legal or similarly significant effects.

When the ADM provisions apply to your use of children’s personal information, you must put suitable safeguards in place to protect their rights, freedoms and legitimate interests. At a minimum, you must provide them with information about the decision and enable them to express their point of view, obtain human intervention and challenge the decision.

You should be able to demonstrate how your implementation of these safeguards takes children’s needs into account. However, if you provide an ISS likely to be accessed by children, you must take their needs into account as part of implementing data protection by design.

If your solely automated significant decisions involve the use of children’s special category data, there are stricter rules you must follow.

Can we share children’s personal information?

If you want to share children’s personal information with third parties, you must have a compelling reason to do so, considering the best interests of the child. A clear example of a compelling reason to share children’s personal information is for safeguarding purposes. However, selling on children’s personal information for commercial re-use is unlikely to be a compelling reason.

You should also carry out a DPIA to assess and mitigate the risks to children that are associated with your data sharing. If your use of children’s personal information falls within one of the categories we consider likely to result in a high risk to their rights and freedoms, you must complete a DPIA.

You can find more information about sharing children’s personal information on our data sharing guidance and resources page.

The children’s code also emphasises the need for providers of ISS likely to be accessed by children to protect children’s rights and freedoms when sharing information.

What data protection rights do children have?

Children have the same data protection rights as adults. These include (but are not limited to) the right to be informed and the right to erasure.

You must find ways to ensure that children know about and can easily exercise their data protection rights. You should also support children in exercising them.

The children’s code also emphasises the importance of providing prominent and accessible tools to help children exercise their data protection rights and report concerns.

A child can exercise their own data protection rights if they have the capacity to do so. Another person can only exercise these rights on a child’s behalf in certain circumstances. This includes where a child with sufficient capacity authorises it, where they do not have the capacity to do so or where it is clearly in their best interests.

You must provide the same information to adults and children about what you do with their personal information. This is known as your privacy information. You must provide this information to children in a concise, clear and plain style, using language that is easy for them to understand.

If you provide an ISS likely to be accessed by children, you must take children’s varying needs and levels of understanding into account when providing privacy information online.

As children may be less aware of the risks involved in handling their personal information, you should clearly explain these risks to them, as well as any safeguards you have put in place.

You must comply with a child’s right to erasure unless an exemption under article 17(3) applies. You should also make it as easy for a child to exercise their right to erasure as it was for them to provide their personal information in the first place.

One of the specific circumstances in which the right to erasure applies is when you collected that information on the basis of consent while offering an ISS directly to a child.

Further reading