Default privacy settings
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Control measure: For services accessed, or likely to be accessed, by children, each processing activity is reviewed to determine whether it might pose a risk to children and then the default privacy setting is set to high privacy.
Risk: If the default privacy settings are not set to 'high', then this can indicate that appropriate steps are not being taken to protect children's information and wellbeing. Also, there is a risk of unauthorised or inappropriate access to children's information, or breaches in privacy. This may breach article 5 (1) (f) (a) and 25 of the UK GDPR.
Ways to meet our expectations:
- Set the default setting to 'high privacy' for direct and core processing of children’s information, unless there is a compelling reason for a different default setting, taking into account the best interests of the child.
- Document the decision-making process if you determine that some core processing for children does not require a high privacy setting (eg for safeguarding reasons).
- Ensure children’s personal information is not visible or accessible to other people who use the service or third parties.
Options to consider:
- Implement prompts or information messages that inform children of the risks when disabling or lowering high privacy default settings.
- Promote and raise awareness of privacy settings or pro-privacy features in your online service, such as advertising locations or on feeds.
Control measure: There are measures in place to ensure that any user or system generated changes to privacy settings do not compromise children’s privacy.
Risk: Without safeguards in place, if privacy settings are lowered as a result of service changes or action by the user, previous settings will be lost and privacy will be at risk. This may breach article 5 (1) (f) of the UK GDPR.
Ways to meet our expectations:
- If children do change their settings, ensure that they return to the high privacy defaults when they end the current session.
- Provide children with age-appropriate explanations and prompts at the point they attempt to change any privacy settings.
- If settings are changed, ensure that age-appropriate content and ads are still served.
- Implement measures to retain any privacy settings that children have applied following a software update, an update to security measures or an introduction of new features.
- Allow children to set up their own profiles with their own individual privacy settings if your online service allows multiple people to access the service from one device.
- Ensure children can access and check profiles easily.
Options to consider:
- Use screen-based options or voice recognition technology for voice activated online services so children (and parents or guardians, where appropriate) can easily check privacy settings.