Can we use children’s personal information for direct marketing purposes?

In detail

• Can we use children’s personal information to target them with direct marketing?
• What do we need to think about if we want to use children’s personal information for direct marketing purposes?
• What do we need to do if we plan to use children’s personal information for direct marketing purposes?

Can we use children’s personal information to target them with direct marketing?

Direct marketing refers to advertising or marketing targeted at an individual person. When it involves children, the potential to cause harm makes appropriate safeguards particularly important.

Using children’s personal information for direct marketing purposes can include (but is not limited to):

• sending marketing messages to individual children; and
• displaying targeted adverts to children online (also known as behavioural advertising).

It also covers activities that lead up to, enable or support you in sending direct marketing, such as targeting and profiling. If you plan to use automated decision-making or profiling to target children with marketing, read the next section of our guidance, What if we want to profile children or make automated decisions about them?

The law doesn’t stop you from using children’s personal information for direct marketing purposes. However, you must meet all the requirements of the UK GDPR in doing so.

If you plan to send electronic marketing messages or display online advertising to children, you must also comply with the Privacy and Electronic Communications Regulations 2003 (PECR). In many circumstances under PECR, you must ask for consent for direct marketing. This means consent will also be the relevant lawful basis for processing under the UK GDPR.

What do we need to think about if we want to use children’s personal information for direct marketing purposes?

Recital 38 of the UK GDPR says that children merit specific protection when organisations use their personal information for marketing purposes.  

If a child shares their personal information with you (eg an email address or details about their hobbies and interests), they may not realise that you will use this to market to them. They may not even understand what marketing is and how it works.

If a child doesn’t understand your use of marketing, they may not recognise the risks of sharing their personal information with you. This can expose them to unnecessary harms, including a loss of privacy or control over their information. It can also lead them to make choices that aren’t in their best interests. For example, they may be influenced to:

• make unhealthy food choices; or 
• spend money on goods and services they don’t need or can’t afford.

If you want to use a child’s personal information for direct marketing, you should consider whether and how you can mitigate the associated risks to their interests, rights and freedoms. For example, it’s important to think about how you can:

• avoid using children’s personal information for marketing purposes or minimise the amount you collect to align with their best interests (eg by displaying online ads based on the content a child is viewing or the context of your service rather than their past online behaviour or activity);
• avoid or limit sharing children’s personal information with third parties for direct marketing wherever possible, and only do so with their valid consent or where it meets their reasonable expectations (providing clear and simple opt-out opportunities);
• ensure children can identify any marketing material you present to them as such and not present it in a way that could mislead or confuse them; and
• put in place effective storage and deletion policies to ensure that you don’t keep children’s personal information for longer than necessary for your marketing purposes.

Adopting a data protection by design and default approach to your broader information practices can support you in this process.

It’s also good practice to consider sector-specific guidance on marketing to children. This can help you ensure that you don’t use their information in ways that might lead to their exploitation or harm.

For example, the Advertising Standards Authority enforces the UK code of non-broadcast advertising and direct & promotional marketing, which includes specific rules to protect children from harmful advertising.

Our children’s code is aimed at providers of any ISS likely to be accessed by children. It also explicitly acknowledges the risks marketing and advertising practices can pose to children’s rights and freedoms. These include (but are not limited to):

• manipulative marketing that exploits their developmental immaturity;
• profiling that targets them with inappropriate or excessive advertising; and
• design features (or ‘nudge techniques’) that encourage them to share more information or reduce their privacy settings.

These risks highlight the broader importance of ensuring that your use of children’s personal information for direct marketing is fair and doesn’t take advantage of their age, developmental stage or limited understanding. This is a core requirement of the UK GDPR. It applies to all organisations, whether or not you provide an ISS.

What do we need to do if we plan to use children’s personal information for direct marketing purposes?

If you plan to use children’s personal information for direct marketing purposes, you must:

• complete a DPIA to establish whether your use of the information will result in a high risk to their rights and freedoms (see the earlier section How do we build in data protection from the start when using children’s information?);
• ensure that your use of their information is fair and complies with all the data protection principles;
• identify a lawful basis for processing (and, where relevant, a separate condition for processing special category data);
• explain what you’re doing with their personal information in a way that’s clear and easy for them to understand; and
• comply with any separate requirements under PECR.

Children also have the same right as adults to object to you using their personal information for direct marketing purposes. This means you must:

• tell them about their right to object in a way that’s clear and easy for them to understand (no later than the first time you send them a direct marketing message); and
• stop using their personal information for direct marketing purposes if they ask you to.

In all circumstances, you must ensure you specifically protect children when you use their personal information for direct marketing purposes.