The Information Commissioner’s Office (ICO) recently announced that it is investigating TikTok’s use of children’s personal data to make recommendations to them, as well as Reddit and Imgur’s age verification processes. As part of its investigations, the ICO will assess whether these social media platforms are complying with the UK GDPR and the Children’s Code (the Code), writes Alexia Elassadi.

The Code, which came into force on 2 September 2021, is a set of 15 standards that providers of information society services (ISS) must follow when using the data of anyone under the age of 18. ISS includes most for-profit apps, search engines, social media platforms, online marketplaces, digital content streaming services, online games and websites that offer goods or services to internet users. As the Code is a detailed document, we have focused on a handful of standards in this article.

Data Protection Impact Assessments (DPIA)

You must undertake a DPIA to assess and mitigate any risks your processing activities will pose to children’s rights and freedoms, and to keep a record of your conclusions. This will help you identify and resolve any high risks to children’s rights and freedoms at an early stage, and to build a ‘data protection by design’ approach to compliance. The ICO website has detailed guidance on how and when to conduct a DPIA.

Transparency

You must be clear and honest about how you will be using children’s personal data. To achieve this, you must:

• Provide clear privacy information in a prominent place for children to find
• Where appropriate, provide ‘bite-sized’ information about how their data will be used
• Tailor your policies to the child’s age
• Present the information in a child-friendly way, for example using images or videos
• Let them know what their rights are
• Tell them what your lawful basis is for processing their data

On this last point, if you are relying on consent in the context of an ISS, you should note that only children aged 13 and over can lawfully provide their own consent. If the child is under 13, an adult with parental responsibility will need to provide this, and you will need to make reasonable efforts to verify that the person consenting on the child’s behalf does in fact hold responsibility for them.

Geolocation

Geolocation data, which involves taking data from a user’s device that identifies its location, must be switched off by default. This is because children’s physical safety may be at risk otherwise.

You should notify the child, at the point of sign-up and every time geolocation data is used, so that they are aware their location is being tracked and can discuss it with an adult if they do not understand what it means.

Profiling

Profiling is any form of automated processing that uses personal data to evaluate certain aspects relating to a person, for example to analyse or predict aspects of their behaviour, interests or preferences.  Profiling can suggest content by other users, or other accounts for the child to follow.

If you can provide a service without profiling, then you must provide a setting for any aspects that rely on it. Where appropriate, you must offer different settings for each type of profiling, rather than bundling them all together.

Default settings

Default privacy settings are crucial, as children are likely to accept the default settings that are in place when they start using a service. By default, you should not collect more personal data than you need to provide each part of your online service. You should also not make the child’s personal data visible to indefinite numbers of other users of the service.

You do not have to offer privacy settings for your core service (as without essential processing, you would not be able to provide it), but you must offer it for any additional services that require the processing of personal data.

By adhering to the Code, businesses can not only achieve compliance with the UK GDPR, but they can also contribute to making children’s online experience more positive and safer.

Alexia Elassadi is a senior associate in the Commercial team at the law firm Broadfield.