Covid 19 has had a profound effect on how we interact with the people around us – in our personal lives as well as at work. Many face-to-face interactions have moved online and few groups have been more impacted by this change than schoolchildren.

Schools and face-to-face learning have been replaced almost overnight by online tutorials and an apparently infinite supply of online learning resources and services.

As a host of organisations from the BBC to national museums and educational institutions have moved to fill the hole resulting from school closures by providing learning tools for children remotely, it is important to remember the legal implications of engaging with children online. Here we identify some of the headline data protection issues that need to be understood by organisations offering online resources to children.

Parental consent when offering online services

The General Data Protection Regulation (GDPR) imposes restrictions on organisations which offer what are known as information society services or ISS to children. The definition of ISS is widely interpreted and includes most online services offered to children, for instance online messaging services, not-for-profit apps and many online news and educational websites.

What this means is that in the UK if you are offering ISS directly to a child and you are relying on consent (as a lawful basis), you will need to get consent from a parent or someone with parental responsibility for children who are under 13.

To give an example, if you are offering an online subscription service for educational content and you need consent to send marketing emails about your service, you will need to get the consent of the child’s parent or a person with parental responsibility to send those emails to children who are under 13.

This doesn’t mean that you always need consent to process a child’s personal data when providing online services, so in most cases it will be easier to rely on an alternative legal basis under the GDPR for processing, such as legitimate interests. However, in some cases consent will be needed – for instance if you are processing special category data about children (which would include information about their race, religion, health or ethnicity) or sending them marketing emails or texts. Also, remember that reliance on legitimate interests requires you to demonstrate that you have fully considered the impact of your processing on children – the GDPR indicates that children merit ‘specific protection’ so that the onus is greater on you to demonstrate that children’s rights are protected.  

Note that under the GDPR you will not need parental consent (or consent from someone with parental responsibility) if you are offering confidential counselling services to children online.

Age Appropriate Design Code

If you are providing online services or ISS as described above to children, you should also consider the new Age Appropriate Design Code, (the Code) which is the ICO’s* new code of practice for online services likely to be accessed by children.  The Code contains 15 standards of age appropriate design which organisations need to meet, including:

  • Ensuring that settings on your site are “high privacy” by default;
  • Not sharing children’s personal data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child;
  • Not using nudge techniques to encourage children to provide unnecessary personal data or weaken or turn off their privacy protections;
  • Ensuring that the privacy information you provide to children is concise, prominent and in clear language suited to the age of the child (see guidance below on Privacy Notices); and
  • Data minimisation – collecting only the minimum amount of personal data that you need to provide your service; for instance, if you are providing an online learning tool to a child, you do not need to collect information about their wider interests unless this is necessary to allow you to provide the service you are offering.

The Code is not yet in force and there is expected to be a transition period of at least a year before it is enforced (which means the Code is not expected to be enforced until Autumn 2021), but organisations which are designing websites and online resources aimed at children should seek to ensure that they are working towards compliance with the 15 standards.  We blogged about the draft Code when it was published by the ICO back in April 2019 – see here.

Privacy notices

If you are collecting personal data about children on your site (which could include names, contact details, interests, preferences) you need to provide children with a privacy notice. This needs to contain exactly the same information as is included in a privacy notice that you provide to adults, including details of how you plan to use their personal data, who you might share it with and how long you will keep it.

Privacy notices should use clear language suited to the age of the child. Using a privacy notice that you have prepared for adult users is unlikely to be sufficiently clear for children to understand (though you should consider providing one privacy notice for adults as well as a separate privacy notice for children). You should make the notice easy to find and accessible for children and parents. The Code recommends that you provide privacy information in more specific “bite size” explanations at the point at which the use of the personal data is activated.

Privacy information should be provided in a way likely to appeal to the age of the child who is accessing your service. This may include for instance using diagrams, cartoons, graphics or videos. The Code contains useful guidelines on how organisations can provide privacy information to children of different age groups from 0-5 (Pre-literate and Early Literacy) right up to ages 16-17 (Approaching Adulthood).

Sending marketing emails to children

The GDPR requires that children are given additional protection when their personal data is used for marketing purposes because they may be less aware of the risks and consequences of their data being used for marketing.

If you are intending to use a child’s personal data for marketing purposes you must carry out a Data Protection Impact Assessment or DPIA (which is a form of risk assessment) to establish whether the processing you are proposing will result in a high risk to the rights and freedoms of the children concerned.

For more information on DPIAs and a template DPIA form, please see here.

And finally, a few additional data protection points to remember when engaging with children online

  1. Encourage children not to share their personal data with others online.
  2. Remember that children have a right to be forgotten so, if you rely on their consent/ or that of a parent or guardian to process their personal data, they can withdraw that consent.
  3. Ensure that you have a clear data retention policy in place so that you are only keeping children’s data for as long as you need it.

If you would like to discuss any of the issues covered here, please contact Mairead O’Reilly, [email protected]

* Information Commissioner’s Office