Children and the UK GDPR
Click to toggle details
Latest updates - last updated 15 May 2026
15 May 2026 - The updated guidance reflects changes under the Data (Use and Access) Act 2025 (DUAA) that are likely to have particular impacts on how organisation’s use children’s information. It contains improved signposting to specific requirements for information society services likely to be accessed by children and relevant children’s code standards. We’ve also added new case examples to show best practice across a range of issues where children’s information is often or likely to be used.
Contents
About this guidance
Overview and key definitions
What should our general approach be to handling children’s personal information?
- Why do children merit specific protection?
- What about the data protection principles?
- How do we build in data protection from the start when using children’s information?
- What are the best interests of the child?
- What if we’re unsure about whether we’re using children’s personal information or not?
- Do we need to consult with children if we plan to use their personal information?
- How do other regulatory duties affect our use of children’s personal information?
How do the lawful bases apply to children’s personal information?
- Which lawful bases can we rely on to handle children’s personal information?
- Can we rely on ‘consent’?
- Can we rely on ‘performance of a contract’?
- Can we rely on ‘legal obligation’?
- Can we rely on ‘vital interests’?
- Can we rely on ‘public task’?
- Can we rely on ‘legitimate interests’?
- Can we rely on ‘recognised legitimate interest’?
- What if we want to handle special category data?
Can we use children’s personal information for direct marketing purposes?
- Can we use children’s personal information to target them with direct marketing?
- What do we need to think about if we want to use children’s personal information for direct marketing purposes?
- What do we need to do if we plan to use children’s personal information for direct marketing purposes?
What if we want to profile children or make automated decisions about them?
- What are profiling and automated decision-making?
- What does the UK GDPR say about solely automated decision-making, profiling and children?
- Can we profile or make automated decisions about children?
- What types of decisions have a legal or similarly significant effect on children?
- What do we need to do if we plan to use children’s personal information to profile or make automated decisions about them?