Skip to main content
Hafan

What if we want to profile children or make automated decisions about them?

Contents

In detail

What are profiling and automated decision-making?

We’ve produced dedicated guidance on the use of automated decision-making, including profiling. See that guidance for more information about what counts as profiling and automated decision-making. It also explains how to determine whether your processing activities are covered by the automated decision-making provisions outlined in articles 22A-D of the UK GDPR. We refer to these as the ‘ADM provisions’ throughout this chapter. 

In this chapter, we also use ‘automated decision-making’ in a broader sense to describe activities that the ADM provisions don’t specifically cover.

What does the UK GDPR say about automated decision-making, profiling and children?

The ADM provisions don’t specifically refer to children. The provisions apply where you use personal information to make a solely automated significant decision about a person. This means the decision:

  • is “based solely on automated processing”, including profiling (ie there is no meaningful human involvement in the decision); and 
  • has a “legal or similarly significant effect” on a person (which the UK GDPR refers to as a ‘significant decision’).

For human involvement to be ‘meaningful’, you must ensure it is active and not just a token gesture.

(For more information on what we mean by a ‘significant decision’, see the section What types of decisions have a legal or similarly significant effect on children?.)

When you use personal information to make solely automated significant decisions about people, including children, you must put in place suitable safeguards to protect their rights, freedoms and legitimate interests. 

As a minimum, you must include measures that:

  • provide people with information about the solely automated significant decisions you’re making about them;
  • enable them to express their point of view about those decisions;
  • enable them to obtain human intervention from you about those decisions; and
  • enable them to challenge those decisions.

If your solely automated significant decisions involve special category data, you must follow stricter rules. Article 22B of the UK GDPR states that these decisions cannot be made unless one of the following conditions are met:

2. The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent.

3. The second condition is that –

(a) the decision is –

(i) necessary for entering into, or performing, a contract between the data subject and a controller, or

(ii) required or authorised by law, and

(b) point (g) of Article 9(2) applies.

How you comply with the ADM provisions may be different for children than for adults. This is because children’s needs and levels of understanding can vary, which may affect, for example, how you enable them to exercise their rights under these provisions. You must ensure that any measures you put in place are appropriate for the person you’re making decisions about.

Can we profile or make automated decisions about children?

It is possible for you to profile or make automated decisions about children. However, you should avoid doing so wherever possible. It’s important to remember that children merit specific protection, particularly when you use their personal information in this way.

If you plan to use children’s information to make solely automated significant decisions about them (including through profiling), you should be able to demonstrate how your implementation of the required safeguards considers their needs. This also helps you comply with your data protection by design obligations.

If you provide an ISS likely to be accessed by children, you must take their needs into account as part of implementing data protection by design. This means:

  • considering how activities like profiling and automated decision-making may affect children at different ages and developmental stages; and
  • building in appropriate safeguards from the start. 

Conforming to the children’s code and meeting other relevant obligations (eg under the OSA) can also help you implement these safeguards in practice.

If the ADM provisions don’t apply to your use of children’s personal information, you don’t need to have the specific safeguards in place. However, you must still meet all other UK GDPR requirements.

What types of decisions have a legal or similarly significant effect on children?

The UK GDPR says that:

a decision is a significant decision, in relation to a data subject if –

(i)    it produces a legal effect for the data subject, or

(ii)    it has a similarly significant effect for the data subject.

A decision produces a legal effect for a child if it impacts their legal rights or legal status in some way. For example, a decision that impacts their receipt of a benefit they’re entitled to under the law.

A decision has a similarly significant effect for a child if it has an equivalent impact on their circumstances, behaviour, opportunities or choices. For example, a decision that significantly impacts their health or access to education.

In extreme cases, significant decisions might exclude or discriminate against the child.

Example

As part of a new initiative, a local authority decides to use an automated system to help it determine whether a child qualifies for free school meals based on their household information. 

The outcomes produced by this system will have a legal effect on children. This is because they determine whether the child can access free school meals provided under the law.

 

Example

A video‑sharing service uses a solely automated moderation system to remove a 16‑year‑old user’s video. The moderation action is taken after a solely automated analysis classifies the video as violating the service’s content policies.

Because the video classification process involves analysing the user’s personal information, the service is making a solely automated decision about that user.

As the user is a content creator and relies on their videos for income, the removal has a significant impact on their earnings. This is a solely automated decision that has a legal or similarly significant effect on them.

Organisations sometimes use automated decision-making and profiling based on personal information to influence a person’s choices and behaviours. For example, an online service may use a profile of a child’s past browsing behaviours to display certain adverts to them, with the aim of influencing them to buy those products.

This raises particular risks for children, as they may be more easily influenced than adults and less able to understand:

  • how and why you want to use their personal information for these purposes; and
  • what impacts your use of their personal information may have on their behaviour or choices.

Not every automated decision you make about a child has a legal or ‘similarly significant’ effect on them. However, thinking carefully about the context of your decision-making can help you understand the possible impacts on the child.

To help you assess the impact of using children’s information for profiling or automated decision-making purposes, you could consider wider evidence. For example, the Committee of Advertising Practice bans the advertising of high fat, salt or sugar food or drink products in children’s media because of its likely effect on children’s health. If advertising standards ban or limit the marketing of certain types of products to children, this suggests that influencing a child’s choices in this area may have a similarly significant effect on them.

What do we need to do if we plan to use children’s personal information to profile or make automated decisions about them?

You must complete a DPIA to establish whether your use of their personal information to profile or make automated decisions about them will result in a high risk to their rights and freedoms. This is because we think that using children’s personal information in this way is likely to result in such a risk.

You must also consider measures to reduce or avoid each of the risks to children you identify. You should record any additional measures you plan to take. If you identify a high risk to children that you can’t mitigate, you must consult us before proceeding. (For more information on DPIAs and children, see the earlier section How do we build in data protection from the start when using children’s information?.)

You should carefully consider why you want to use the child’s personal information and select the lawful basis that best reflects this purpose. It is not appropriate for you to select a lawful basis simply because there is an article 22B condition you want to rely on. Remember that the UK GDPR prohibits you from using the recognised legitimate interest lawful basis to make solely automated significant decisions about people.

If you plan to profile children for marketing purposes, you must consider the associated risks. This is because behavioural advertising may influence children more easily than adults, especially online. If a child objects to your use of their personal information for profiling related to direct marketing, you must stop using their information for these purposes.

If you provide an ISS likely to be accessed by children, the children’s code explicitly highlights the risks of profiling and sets clear expectations:

  • Switch profiling options ‘off’ by default unless you can show a compelling reason not to, taking into account the child’s best interests. Commercial marketing, for example, is unlikely to be a sufficiently compelling reason.
  • Only allow profiling if you have appropriate measures in place to protect children from harmful effects (eg being shown content that is detrimental to their health or well-being).

In all circumstances, you must ensure that you protect children when you use their personal information for profiling or automated decision-making purposes.

Further reading – ICO guidance

Other resources