What data protection rights do children have?
How do data protection rights apply to children?
Children have the same data protection rights over their personal information as adults. In this chapter, we discuss where these rights have child-specific considerations. This includes (but is not limited to) the rights to:
- be given clear and transparent information about how their personal information is used; and
- have their personal information erased in certain circumstances.
We also discuss how the application of these rights can differ in practice depending on factors such as a child’s age, stage of development, capacity and level of understanding.
You must find ways to ensure that children know about and can easily exercise their data protection rights. You should also actively support children in exercising these rights.
Further information – ICO guidance
For more information about how data protection rights apply to both adults and children, see our individual rights guidance and resources.
When and how can children exercise these rights?
Exercising their own rights
A child can exercise their data protection rights on their own behalf at any time. Where they have the capacity to do so, you must make this possible.
In Scotland, a person aged 12 or over is usually considered mature enough to exercise these rights unless there is evidence to suggest otherwise. This doesn’t apply in England, Wales or Northern Ireland. Instead, capacity is assessed depending on the child’s level of understanding. Assessing a child’s capacity is a nuanced judgement that may change over time as they develop.
In general, a child isn’t considered to have sufficient capacity if it’s clear that they’re acting against their own best interests.
If you’ve already decided that a child is capable of giving their own consent to the use of their personal information, it’s usually reasonable to assume they also have the capacity to exercise their own data protection rights.
You must take appropriate steps to make it possible for children to exercise their data protection rights in all settings. This includes enabling them to exercise meaningful control over their personal information, particularly online.
If your organisation is covered by the children’s code, you should:
- provide ways for children to exercise their data protection rights or make complaints in relation to your online services;
- provide ways for children to indicate that their complaint or request is urgent and explain why;
- actively consider any information they provide and prioritise based on this; and
- have clear procedures in place to act quickly if a child shares information with you that raises safeguarding concerns.
These considerations reflect your broader obligations under the UK GDPR that apply in both online and offline contexts. However, they are given specific emphasis where the children’s code applies.
Acting on a child’s behalf
If a child is competent to exercise their own data protection rights, then, just like an adult, they may authorise someone else to act on their behalf.
This might be, for example:
- a person with parental responsibility; or
- another appropriate representative (eg a child advocacy service, charity or solicitor).
Even if a child is too young to understand what their data protection rights mean, they are still that child’s rights rather than anyone else’s. Therefore, a person can only exercise these rights on behalf of a child if:
- the child authorises them to do so;
- the child does not have sufficient understanding to exercise the rights themselves; or
- it’s clearly in the child’s best interests.
This applies in all circumstances, including in an online context where a parent or guardian gave the initial consent for using the child’s personal information rather than the child.
Where a person with parental responsibility has previously exercised rights on behalf of a child and continues to do so, you should regularly review this arrangement to ensure it remains appropriate and in the child’s best interests. These interests may change over time as the child develops.
It’s usually appropriate to let a person exercise a child’s rights on their behalf if:
- you’re satisfied that the child is not competent; and
- the person who has approached you holds parental responsibility for the child.
The exception is if you have evidence to suggest that this isn’t in the child’s best interests.
If you’re confident that the child can understand their rights, you should respond directly to the child. However, you could allow the person with parental responsibility to exercise the child’s rights on their behalf if the child authorises this, or if it’s clearly in the child’s best interests.
What matters is whether the child can understand and deal with the potential consequences of exercising their rights. For example, does the child understand what it means to request a copy of their information and how to interpret the information they receive in response?
In borderline cases, you should think about:
- the child’s level of maturity and their ability to make decisions about exercising their rights;
- the nature of the personal information;
- any court orders about parental contact or responsibility that
may apply; - any duty of confidentiality you owe to the child or young person;
- any potential consequences of allowing the parent to exercise the child’s rights on their behalf (this is particularly important if anyone has accused the parent of abuse or ill treatment);
- any potential harm to the child or young person if their parent can’t access this information; and
- any views the child or young person has on whether their parent
should have access to information about them.
Under article 80(1) of the UK GDPR, children and adults can also authorise not-for-profit bodies or organisations (including child advocacy services) to act on their behalf in relation to their data protection rights. This includes making complaints to an organisation or to us. You should have measures in place to respond to requests made by an authorised representative acting on behalf of a child.
How does the right to be informed apply to children?
What information to give to children
Under the UK GDPR, people have the right to be informed about the collection and use of their personal information.
You must provide the same information to adults and children about what you do with their personal information. This is known as your ‘privacy information’.
Being transparent about how you use personal information is fair and gives people greater choice and control.
You can find a full list of the information you must provide to people when you handle their personal information in our guidance on the right to be informed. The required information varies depending on whether the personal information is given to you by the person themselves or a third party.
As children may be less aware than adults of the risks involved in handling their personal information, you should clearly explain these risks to them, as well as any safeguards you have put in place. This helps children understand what it means to share their information with you so they can make informed choices and take appropriate steps to protect themselves.
How to give this information to children
You must provide your privacy information in a concise, clear and plain style, using language that’s easy for children to understand.
You should ensure the information is age-appropriate and, as far as possible, address it directly to the relevant age group. If your target audience covers a wide age range, you could provide different versions of your privacy information for different age groups.
If you choose to present your privacy information in a single format, you must make it accessible to both adults and children, especially those in your youngest user age range.
You could consider presenting your privacy information in a way that’s appealing to a young audience. This might mean using features to attract and interest them, such as:
- Diagrams
- Cartoons
- Graphics
- Videos
In an online context, you could use:
- dashboards;
- layers (which break privacy information into manageable chunks to make it easier to digest);
- just-in-time notices; and
- prominent and easily identifiable icons and symbols that help draw attention to key privacy messages (eg around data sharing, consent or user safety).
If you provide an ISS likely to be accessed by children, you must consider children’s varying needs and levels of understanding when you’re providing privacy information online. This includes ensuring the information is age-appropriate, easy to understand, and designed with children’s best interests in mind.
Further information – ICO guidance
For further information on providing age-appropriate privacy information in an online context, see:
Giving information to parents
Children don’t lose their right to transparency if a person with parental responsibility exercises their data protection rights on their behalf. This means you must give both parents and children clear and accessible privacy information to ensure that they’re sufficiently informed.
You could achieve this by:
- developing different versions for these different audiences; or
- producing a child-friendly version that parents can also understand.
Taking this approach gives parents the information they need, while also helping children to develop the confidence and ability to exercise their rights independently as they grow.
You could also create a resource for children and parents to use together, giving parents a tool to support their child’s learning. For example, if your service provides animated videos to explain key data protection concepts to children and parents, you could include follow-up questions to help parents check their child’s understanding.
Pre-literate children
In most cases, very young or pre-literate children are unlikely to understand even the most basic written or non-written messages about what you want to do with their information. In these circumstances, you should provide privacy information that their parents can understand.
However, the requirement to provide child-friendly privacy information still applies. You should still develop privacy information that children can access when they’re ready, either on their own or with a parent. You should bring this to the child’s attention throughout your ongoing relationship with them (eg when providing regular reminders about privacy settings).
Further reading – ICO guidance
How does the right to erasure apply to children?
The UK GDPR gives people, including children, the right to have their personal information erased in certain circumstances. This is sometimes known as the ‘right to be forgotten’.
Recital 65 says that the right to erasure:
is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child…
This is consistent with the underlying principle of recital 38. This recital says that children merit specific protection because they may be less aware than adults of the risks, consequences and safeguards associated with the use of their personal information. It applies regardless of whether the child’s consent was originally given in an online or offline context.
Article 17(1)(f) of the UK GDPR states that one of the specific situations where the right to erasure applies is when:
the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
(For further guidance on the child-specific article 8(1) provisions, see the section Additional consent requirements for ISS providers.)
If a person makes an erasure request in line with article 17(1), you must comply with it unless an exemption under article 17(3) applies. When assessing if any exemptions apply, you should consider whether the person is making a request about personal information collected when they were a child. This is because they may not have fully understood the implications or risks involved at the time.
In these situations, there is usually an increased expectation of what’s ‘necessary’ to protect the child’s rights. This means the right to erasure is more likely to apply here than if an adult originally provided the information. You should consider these requests on a case-by-case basis.
Example
A child creates a personal account on a popular gaming platform. The child later decides to close their account, as they are no longer interested in the game. They submit a request to the platform to close their account and have all their personal information deleted.
The platform must comply with the child’s right to erasure if it no longer needs to hold their personal information.
Example
A social worker maintains weekly case notes about a child who is experiencing neglect at home. The child makes a verbal request to the social worker to stop recording information about them and delete all their previous case notes.
The social worker can override the child’s request in this case. This is because the law requires them to keep a record of their case notes to comply with their safeguarding and accountability duties.
You must make your process for exercising the right of erasure clear and accessible for children.
Article 7(3) of the UK GDPR says that you must make it as easy for a person to withdraw their consent as it is to give it. You should also apply this principle to any processes related to the right to erasure. Therefore, you should make it as easy for a child to get their personal information erased as it was for them to provide it to you in the first place. For example, if you started handling a child’s personal information without asking them to provide original identity documents, it’s usually disproportionate to require these as a condition of erasure.
In an online context, you should make dashboards and take-down tools available for children and other users to easily delete or remove their personal information. This might include “delete my information” buttons that are prominently placed in users’ account settings. The online tools standard of the children’s code includes further guidance on providing prominent and accessible tools to help children exercise their data protection rights (including the right to erasure).
The right to erasure doesn’t necessarily have to be exercised by the same person who initially provided consent for the use of the child’s personal information. For example, if a parent originally provided consent, this doesn’t mean that they will also have to request the erasure. This is because the person whose information you’re using may no longer be a child or now be capable of exercising their rights on their own behalf.
In such cases, you should accept their request for erasure without needing to involve the parent.
Similarly, if a child is capable of giving consent for your use of their information and exercising their own data protection rights, it’s usually inappropriate to accept a parent’s request to erase the child’s personal information without considering the child’s wishes.
There may be a disagreement between a child and their parent about whether to erase their personal information or not, or a child may wish to have their information erased without their parent’s knowledge. In this case, you should consider the child’s level of understanding and what’s in their best interests. You should do this on a case-by-case basis.
Similarly, if more than one person holds parental responsibility, and they disagree about whether or not to erase the child’s personal information, you should consider the child’s views and best interests as far as possible.