The ICO exists to empower you through information.

The Children’s code’s standards outline many steps you can take to address impacts on children’s rights, and ultimately conform with the code. We’ve outlined these actions for the common data processing activities outlined in step 2 of this guidance.

Age assurance

  • Establish the age of child users with a level of certainty that is appropriate for the risks that your data processing creates. If you can’t, apply the code’s standards to all users. Consider the following to estimate or verify the age of your child users:
    • age self-declaration;
    • artificial intelligence;
    • third-party age verification services;
    • account holder confirmation;
    • technical measures; or
    • hard identifiers.
  • Introduce measures to ensure accuracy, avoid bias and explain the use of AI-based age assurance.
  • Clearly tell users how their data will be processed for age assurance and how they can challenge an inaccurate assessment of their age.
  • Do not repurpose data and user profiles developed for age assurance for other purposes. Only collect the minimum amount of data needed.
  • Apply standards of the code in a way that recognises the age of your child users. For example, provide privacy information that is appropriate to the self-declared age of the user, but give them the option to access versions written for different age groups as well.
  • If you rely on consent for any aspects of your online service, you need to get parental authorisation for children under 13.
  • If you are using a third-party age assurance provider, you need to obtain assurances and do due diligence on third parties you are sharing data with. This is to ensure they are using data in ways that are in the children's best interests.
  • Ensure your use of age assurance does not discriminate against users and has due regard to the Equality Act 2010.
  • More recommendations can be found in the Commissioner’s Opinion on the use of age assurance.

Data sharing between users

  • Ensure settings that allow the sharing of children’s data with other users are set to off by default, unless you can demonstrate a compelling reason otherwise, taking into account the best interests of the child.
  • Any default settings related to data sharing should specify the purpose of the sharing and who you are sharing the data with. Settings which allow general or unlimited sharing are not compliant.
  • Provide clear information about what you do with children’s personal data in more specific, ‘bite-size’ explanations. Do this at the point at which you share the personal data. This is sometimes referred to as a ‘just-in-time notice’.
  • Depending on the child’s age and the risks inherent in the processing, you should prompt them to speak to an adult before they activate any new use of their data. You should also say to not proceed if they are uncertain.
  • Allow users the option to change their data sharing settings either permanently or just for the current use.
  • Retain inter-user data sharing choices or high privacy defaults when you update the software.
  • Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections. Nudge techniques are design features which lead or encourage users to follow the designer’s preferred paths in the user’s decision making. For example, presenting one choice more prominently than another, or framing one alternative more positively than another.

Data sharing with a third-party organisation

  • Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
  • Obtain assurances, and do due diligence, on third parties you are sharing data with. This is to ensure they are not using children’s data in ways that are not in the children’s best interests.
  • Any default settings related to data sharing should specify the purpose of the sharing and who you are sharing the data with. Settings which allow general or unlimited sharing are not compliant.
  • Provide clear information about what you do with children’s personal data in more specific, ‘bite-size’ explanations. Do this at the point at which you share the personal data. This is sometimes referred to as a ‘just-in-time notice’.
  • Depending on the child’s age and the risks inherent in the processing, you should prompt them to speak to an adult before they activate any new use of their data. You should also say to not proceed if they are uncertain.
  • Allow users the option to change their data sharing settings either permanently or just for the current use.
  • Retain inter-user data sharing choices or high privacy defaults when you update the software.
  • Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections. Nudge techniques are design features which lead or encourage users to follow the designer’s preferred paths in the user’s decision making. For example, presenting one choice more prominently than another, or framing one alternative more positively than another.

Geolocation

  • Switch geolocation tracking to off-by-default, unless it is essential to the core of your service (for example, a map service).
  • Provide information at the point of sign-up, and each time a child accesses the service, that alerts them to the use of geolocation data. The service should prompt the child to discuss this with a trusted adult if they don’t understand what it means.
  • Revert settings which make the child’s location visible to others to ‘off’ after each use. This is unless you can demonstrate that you have a compelling reason to do otherwise, taking into account the best interests of the child.
  • If your service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child (such as a lit up icon or a pop-up) when they are being monitored.
  • Provide parents with information about the child’s right to privacy under the UNCRC, which explains why children have a right to know where their online activity is being tracked.
  • For connected devices that track geolocation - find ways to communicate ‘just in time’ information. This explains how you are using children’s data at the point of use and avoid passive collection of geolocation data.

Online complaint and requests tools

  • Provide prominent and accessible tools to help children (and their parents where appropriate) exercise their data protection rights relating to how services use their data – including their rights to:
    • access;
    • correct;
    • erase;
    • transfer; and
    • object.
  • Ensure tools for children to exercise their data rights are age-appropriate and easy for them to use.
  • Ensure tools for children to exercise their data rights are specific to the individual right they support.
  • Include ways for the child or their parent to track the progress of complaints and requests relating to their data rights.
  • Include mechanisms for children to indicate when they think complaints or request relating to data rights are urgent, and why.
  • Use pro-privacy nudges that encourage children to engage with online tools, where appropriate.
  • Depending on the age of the child, you should prompt them to speak to an adult before they exercise their data rights.

Connected toys and devices

  • Be clear about who is processing children’s personal data at different points of a connected device network, and what their responsibilities are.
  • Anticipate that multiple users of different ages may use connected devices. Make sure that the default service you provide is suitable for use by children.
  • Provide clear information about your use of personal data at point of purchase, and on set-up, of the connected device.
  • Find ways to communicate ‘just in time’ information that explains how you use children’s data - for example using auto-play audio messages for a connected speaker.
  • Avoid passive collection of personal data, and make it clear to children or their parent when the device is collecting this data. For example, showing when a connected device is in listening mode.

Parental controls

  • Provide information at the point of sign-up, and each time a child accesses the service, that alerts them to the use of parental controls. The service should prompt the child to discuss this with a trusted adult if they don’t understand what it means.
  • If your service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child (such as a lit up icon or a pop-up) when they are being monitored.
  • Provide parents with information about the child’s right to privacy under the UNCRC, which explains why children have a right to know where their online activity is being tracked.

Profiling and service personalisation

  • Switch options which use profiling ‘off’ by default. Do this unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child. Examples of a compelling reason include:
    • profiling to meet a legal or regulatory requirement (such as safeguarding);
    • to prevent child sexual exploitation or abuse online; or
    • for age assurance.
  • Always provide a privacy setting for behavioural advertising. This is advertising which you use to fund a service, but is not part of the core service.
  • Differentiate between different types of profiling for different purposes. Offer different privacy settings for each of these purposes. Don’t bundle them into one consent notice or privacy setting.
  • Provide information to child users at the point at which you activate any profiling. You should explain what happens to the child’s personal data and any risks that may arise from it. You should also provide age-appropriate prompts to seek assistance from an adult. Do not activate the profiling if they are uncertain or don’t understand.
  • Provide options for children to tailor how content is personalised. This could include content controls.
  • If profiling is on, ensure that you put appropriate measures in place to safeguard the child (in particular from inappropriate content). Such measures could include:
    • contextual tagging;
    • algorithmic risk assessments;
    • transparent information on how content is recommended;
    • robust reporting procedures; and
    • elements of human moderation.
  • For behavioural advertising, follow Committee of Advertising Practice (CAP) guidance on online behavioural advertising. This specifically covers advertising to children.
  • For data-enabled delivery of online content to children, ensure the content does not breach Ofcom’s code of practice for broadcasters where it relates to people under 18.
  • For data-enabled delivery of news, refer to the Independent Press Standards Organisation’s Editors’ Code of Practice provisions about reporting and children.
  • Obtain assurances from, and do due diligence on, third parties you are sharing data with to perform profiling. You need to ensure they are not using children’s data in ways that are not in the children’s best interests.
  • Consult with the ICO if there is a residual high risk of profiling of children that you can’t mitigate.

Profiling for automated decision making

  • Switch options which use profiling ‘off’ by default. Do this unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child. Examples of a compelling reason include:
    • profiling to meet a legal or regulatory requirement (such as safeguarding);
    • to prevent child sexual exploitation or abuse online; or
    • for age assurance.
  • Differentiate between different types of profiling for different purposes. Offer different privacy settings for each of these purposes. Don’t bundle them into one consent notice or privacy setting.
  • Provide information to child users at the point at which you activate any profiling. You should explain what happens to the child’s personal data and any risks that may arise from it. Also provide age-appropriate prompts to seek assistance from an adult. Do not activate the profiling if they are uncertain or don’t understand.
  • If profiling is on, ensure that you put appropriate measures in place to safeguard the child (in particular from inappropriate content). Such measures could include:
    • contextual tagging;
    • robust reporting procedures; and
    • elements of human moderation.
  • Obtain assurances from, and do due diligence on, third parties you are sharing data with to perform profiling. You need to ensure they are not using children’s data in ways that are not in the children’s best interests.
  • Introduce measures to ensure accuracy, avoid bias and explain use of AI-based profiling.
  • Consult with the ICO if there is a residual high risk of profiling of children that you can’t mitigate.

Privacy information, policies and community standards

  • Actively uphold and enforce your policies and community standards – including privacy policies, user behaviour policies and content policies.
  • Provide the privacy information in a clear and prominent place on your online service. You should make this information easy to find and accessible for children and parents who seek out privacy information.
  • Provide clear information about what you do with children’s personal data in more specific, ‘bite-size’ explanations. You should do this at the point at which you use their personal data. This is sometimes referred to as a ‘just-in-time notice’.
  • Depending on the child’s age and the risks inherent in the processing, you should prompt them to speak to an adult before they activate any new use of their data. You should tell them not to proceed if they are uncertain.
  • Consider if there are any other points in your user journey when it might be appropriate to provide bite-sized explanations. This could be to aid the child’s understanding of how you are using their personal data.
  • Present privacy information in a way that is likely to appeal to the age of children on your service. This may include using:
    • diagrams;
    • cartoons;
    • graphics;
    • video and audio content; and
    • gamified or interactive content that interests children, rather than relying solely on written communications.
  • Privacy dashboards, layered information, icons and symbols can also aid children’s understanding.
  • Consider how you can tailor the content and presentation of the information you provide depending on the age of different child users. Incorporate mechanisms to allow children or parents to choose which version they see. Perhaps allow them to down-scale or up-scale the information, depending on their individual level of understanding.

Privacy and data use settings

  • Ensure you set the default settings to high privacy. This is unless you can demonstrate a compelling reason for a different default, taking into account the best interests of the child. For example:
    • to fulfil a legal obligation;
    • for safeguarding; or
    • if it is not possible to provide the essential elements of your service without doing so.
  • Ensure settings that allow you to share children’s data with other users or third parties are set to off by default. This is unless you can demonstrate a compelling reason for a different default, taking into account the best interests of the child.
  • Provide age-appropriate explanations and prompts at the point at which a child attempts to change a privacy setting.
  • Allow users the option to change settings permanently or just for the current use.
  • Retain user choices or high privacy defaults when you update the software.
  • If you provide an online service that allows multiple users to access the service from one device, then whenever possible you should allow users to set up their own profiles with individual privacy settings. This means that children do not have to share an adult’s privacy settings when they share the same device.
  • Do not nudge users to lower their high privacy default settings.