With enforcement on children’s data privacy ramping up around the world, Ireland’s Data Protection Commission has issued a detailed report on the fundamental principles of such data privacy, as well as some helpful suggestions to controllers on how to improve.

The key principles:

  1. FLOOR OF PROTECTION: Online service providers should provide a “floor” of protection for all users, unless they take a risk-based approach to verifying the age of their users.
  2. CLEAR-CUT CONSENT: When a child has given consent for their data to be processed, that consent must be freely given, specific, informed and unambiguous, and by a clear statement or affirmative action.
  3. ZERO INTERFERENCE: Ensure that the pursuit of legitimate interests do not interfere with, conflict with or negatively impact, at any level, the best interests of the child.
  4. KNOW YOUR AUDIENCE: Take steps to identify your users and ensure that services directed at/ intended for or likely to be accessed by children have child-specific data protection measures in place.
  5. INFORMATION IN EVERY INSTANCE: Children, not just their parents, are entitled to receive information about the processing of their own personal data.
  6. CHILD-ORIENTED TRANSPARENCY: Privacy information about how personal data is used must be provided in a concise, transparent, intelligible and accessible way, using clear and plain language that is comprehensible and suitable to the age of the child.
  7. LET CHILDREN HAVE THEIR SAY: Don’t forget that children are data subjects in their own right and have rights in relation to their personal data at any age.
  8. CONSENT DOESN’T CHANGE CHILDHOOD: Consent obtained from children or from guardians/parents should not be used as a justification to treat children of all ages as if they were adults.
  9. YOUR PLATFORM, YOUR RESPONSIBILITY: If a platform uses age verification and/or relies on parental consent for processing, it should go the extra mile in proving that its measures around age verification and verification of parental consent are effective.
  10. DON’T SHUT OUT CHILD USERS OR DOWNGRADE THEIR EXPERIENCE: If your service is directed at, intended for, or likely to be accessed by children, you can’t bypass your obligations simply by shutting them out or depriving them of a rich service experience.
  11. MINIMUM USER AGES AREN’T AN EXCUSE: Theoretical user age thresholds for accessing services don’t displace the obligations of organizations to comply with the controller obligations under the GDPR and the standards and expectations set out in these fundamentals.
  12. A PRECAUTIONARY APPROACH TO PROFILING: Don’t profile children and/or carry out automated decision making in relation to children for marketing/advertising purposes unless you can clearly demonstrate how and why it is in the best interests of the child to do so.
  13. DO A DPIA: Undertake data protection impact assessments (DPIA). The principle of the best interests of the child must be a key criterion in any DPIA and must prevail over the commercial interests of an organization in the event of a conflict.
  14. BAKE IT IN: If you routinely process children’s personal data you should, by design and by default, have a consistently high level of data protection which is “baked in” across your services.

Key recommendations:

  • Data SharingDo not systematically share a child’s personal data with third parties without clear parental knowledge, awareness and control; Build in parental reminders/notifications, where appropriate.
  • Profiling: Turn off identifiers, techniques or settings which allow any tracking of activity online for advertising purposes.
  • Nudge techniques: Avoid the use of nudge techniques that encourage or incentivize children to provide unnecessary information or to engage in privacy disrupting actions.
  • Encourage privacy enhancing behavior: push notices/just-in-time notifications emphasizing that one or more option(s) provides a greater level of privacy than the action the child user is about to pick.
  • Opt to process personal data on the user’s device, as opposed to transferring the data to the cloud.
  • Avoid the use of personalized auto features, such as autoplay features and reward loops where children’s personal data is used to support these features.
  • Provide parents with an overall view of activity (including any history of activity) and settings that their child has available to them. Consider allowing parents to modify child account controls and settings, where appropriate.
  • Make it visible to the child that their parent(s) can tell which app/ website/ program etc. they are using or that their parent(s) can later review their activity history.
  • Higher security settings for child account data may be appropriate, including the possibility of isolating or “air gapping” child personal data from adult personal data. Administrator accounts for child data should be flagged or have a specific role so that internal organizational access can be easily distinguished, monitored, audited and altered.
  • Avoid the collection and processing of children’s biometric data.
  • Where a child can share communications, content or data, ensure limited audience selections by default. Contact from others outside of the child’s authorized contacts should not be possible for younger children without parental knowledge, awareness and intervention.
  • Geolocation:
    • Turn off geolocation by default for child users unless the service being provided is necessarily dependent upon it. If this is the case, make it clear to the child (e.g. through the use of symbols/icons) that their location is available to the service or can be seen by other users.
    • Provide clearly visible controls to allow the child to change this at any time or following each session, after a short time period, or once the event or feature requiring location has completed.
    • Significantly reduce the level of accuracy of geolocation data collection except where necessary.