I work with and know a lot of parents running their own businesses and many of those businesses are child-friendly. Perhaps they’re working directly with children or parents or maybe they’re producing online content that may be consumed by younger audiences. From after-school clubs and children’s clothing to child therapists and SEN consultants, most people who choose to work with children and families do so because they love it. Fortunately, this means we have some wonderful people providing child-related products and services. Yet, when it comes to data protection when the target market is under 18s, it can get a bit confusing. With powerful tech giants even getting publicly shamed and fined for not meeting data protection requirements when it comes to children (as demonstrated through the latest TicTok legal saga), small businesses need to ensure they are fully compliant. As we’ve discussed previously, this is not easy at the moment especially when it comes to data protection in the UK post-Brexit but pre-new legislation (still trawling through Parliament!).
If you’re running a business that communicates in any way with children then you need to know about data protection. However, many businesses will be communicating with people under the age of 18, even if they’re not their target market and so will still need to have protections put in place. The ICO strongly advises that every company do this from the outset. It is far more difficult to do repair work on the processes of data protection than it is to structure them with children in mind from the beginning. YouTube is an excellent example of a platform that failed to properly include children in its data protection practices until much later which caused them a number of issues and resulted in them having to launch a YouTube specifically for children when it became impossible to safeguard them on the main platform.
What Are Children’s Data Protection Rights?
Firstly, if you’re working with children or producing content for children you’ll need to look at many other ways of safeguarding children beyond data protection policies as there is far more to consider and protect again. For this article though, we’re just focusing on data protection.
When it comes to collecting data on children then you must have a lawful reason for doing so and you must safeguard this information. Data relates to any personal information. It may not identify a person specifically but may provide information about their behaviour, especially online.
Data may be shared in person or online. It is a common misconception that data protection only relates to online environments. It doesn’t. For example, if you are running children’s classes and you request enrolment forms then you are collecting and processing data and data protection guidance needs to be followed.
Online, data may be collected via online forms but it can also relate to tracking technologies such as cookies. Therefore, you will need a Privacy Policy and possibly also a Cookie Policy to be displayed on your website.
In terms of data protection, children have the same rights as adults which include access to information regarding how their data will be used, access to their personal data, the right to object to processing and the right to have their personal data removed. However, children also have some advanced protected rights and the ICO has a guide to children and data protection which delves a little deeper into these.
What is the Children’s Code?
The ICO has issued the Children's Code (officially known as “Age appropriate design: a code of practice for online services”), as part of the Data Protection Act 2018. This Code applies to any online business that is targeted at children under the age of 18. Since September 2021 all such companies are obliged to comply with this Code. The Code has 15 standards that need to be adhered to, to provide a safe space for children to explore and play within the online world. The standards include things like:
Switching off geolocation services by default.
Not using nudge techniques to encourage children to provide unnecessary personal data (or to weaken their privacy settings).
Ensuring children are aware when they are being monitored by built-in parental controls.
Conducting data protection impact assessments on any data processing, accounting for different ages/development needs of online users.
Information regarding privacy and data must be made available to children in clear language that children can understand. This means you might need to consider getting a special child friendly version of your privacy policy prepared.
The Code also requires services to only collect data that is strictly necessary for the running of the site
You should note that non-compliance with the Children's Code could lead to a fine under the data protection legislation.
What are the General Data Protection Principles for Dealing with Children’s Data?
The key to children’s data protection is the objective that children between 13 and 18 years should be able to understand your policies. Whenever you request information from anyone you should let them know why, how the information will be used and how you will protect that information. Especially, you must let them know if their data will be passed on to third parties and allow them to opt-out. This applies to any person however if you are requesting data from children then this disclosure must be formatted and worded to suit the age of the reader. In other words - no legal jargon or sesquipedalian language (love the irony of that word). Your privacy policies, terms and conditions, terms of sale, data protection disclaimers and any other contract or policy that relates to a customer who could be a child, must be easily accessed and in clear and plain language - such that would be reasonable for a 13-year-old child to understand.
When Is Parental Consent Needed Online?
In UK law, anyone under the age of 13 years is not able to permit their data to be collected or used in any way. Therefore, it requires parental consent. This applies online and in person, which is why no one may request personal details from a child under the age of 13 without their parents (or carers) permission.
However, it’s important to understand that the person giving permission does not own this data. Personal data always belongs to the person it relates to, regardless of age.
Parental or carer consent may be bypassed only for some specific purposes, such as if a child's personal information is required for counselling or protective/preventative services. So, if you believe a child to be in need of help or protection, normal data protection clauses relating to children may not apply. The NSPCC offers some excellent guidance on this so if you are in a position where you may come across children who need to disclose personal information to you without a parent or carer’s consent then I urge you to discover more about safeguarding and perhaps even take one of the NSPCCs safeguarding courses to learn more about when consent is not required.
In terms of online platforms, in recent years many have put more barriers in place to prevent children from accessing parts of the internet that may not be appropriate for them. Google allows parents to set up accounts for children that are under parental control and it doesn’t allow children to access certain material without parental password input. Clearly, there is still much work to do by many of the tech giants. Small businesses, however, are also not excluded from this responsibility and if you are selling products or producing content online that is not appropriate for all ages then it may be a technical solution you need in addition to ensuring you are compliant with data protection legislation across your legal documents and policies.
What Can My Business Do To Keep Children’s Data Protected?
When collecting any personal data, you must have proper processes in place for safe storage and you must be clear about how this data can be used, particularly data relating to children.
If your data is stored digitally you must do everything possible to protect it from unauthorised access. This would include keeping it protected from hackers by ensuring your systems are regularly updated and trusted firewalls are utilised. If your data is physical (i.e. paperwork) then it should also be kept somewhere safe. Many people won’t realise that leaving a folder containing registration forms of children unattended would mean you are not complying with data protection law.
As a company storing data, you should also be mindful of who in your organisation can access this data. Your privacy policy, particularly regarding data protection, should be provided to all employees and they must understand they are working with private, protected information. However, many small businesses are likely to work with third parties such as freelancers and VAs. Although permission may be given to these consultants to access or use your customer’s information in the course of their duties, you may want to consider an NDA (non-disclosure agreement) or have specific data processing clauses in your service agreement with them, to further safeguard this data. Certainly, data protection should be addressed in any and all agreements where you are opening up customer or user information to temporary workers. Please get in touch if you have any questions or need any help including data protection clauses in existing contracts or if you require new ones to be drafted.
First and foremost, ensuring you’re compliant is best approached by centering children’s protection and preserving their privacy rights from the offset. It’s a matter of asking yourself if your company's products or services are accessible to children, whether intended or not, and ensuring that data that may relate to children (a keyword here is ‘may’) is protected to the very best of your ability.
Not every company that uses data relating to children is ‘evil’. Often it is for the benefit of the child, sometimes it is for the benefit of the company (to enable them to actually provide their services), but does not infringe upon a child’s rights or harm them in any way. However, there are important issues and questions to explore when it comes to using data collected from children for marketing purposes. This can be a grey area.
When it comes to advertising or marketing aimed at children, the ASA (advertising standards authority) provides guidance on this and you can read more about them in my blog, What Do Small Businesses Need To Know About The ASA. Within the ASA Codes there are a couple of sections entitled 'Children:Safety' and ‘Children:Targeting’. Be sure to take a careful read of the do’s and don’ts if you are about to embark on advertising or marketing aimed at any children under the age of 16 years, or marketing/advertising which includes imagery of children. As with all of the ASA Codes - usual common sense applies!
What the ICO advises, is that if you intend to use children’s data for anything but essential records, then you complete a DPIA. A DPIA is a Data Protection Impact Assessment, and it is a process designed to help you identify and address any data protection risks, in particular in regards to children being able to access your services due to your use of their personal data. More than advisable, this is actually an essential step you must take whenever there is a risk in data processing practices. Carrying out a DPIA will also assist you in constructing proper privacy policies and processes around data protection.
The ICO also offers plenty of informative and free resources to help you understand and comply with rules and regulations around children and data protection and you can find this here.
Whether you are a large or a small business, you may now be wondering if your privacy policies and data protection clauses in your legal contracts are robust enough, especially relating to children’s data protection. If you are at all concerned please get in touch and we can look at what you have and whether improvements or updates need to be made.