The ICO has today issued draft guidance on the protection of children’s data under the GDPR. The new regime requires some changes as parental consent is required for the use of information society services unless they are about offering counselling or helplines to children. The suggestion for age limit in the UK DP Bill is currently 13.
The House of Lords are keen to impose extra protections for children. Information Commissioner, Elizabeth Denham, says in her blog that a new amendment will commit her office to produce a code of practice for data controllers on age-appropriate website design. “While there are still some issues of detail to work out, it is a measure I support whole-heartedly, particularly as it furthers the concept of data protection by design, which is a key feature of GDPR.”
The ICO’s draft guidance says that information about privacy issues must be provided to children in an appropriate manner and, as far as possible, addressed directly to the relevant age group. Organisations could consider providing different versions of their privacy notice if they deal with several age groups.
‘If you are relying upon parental consent as your lawful basis for processing, then it is good practice to provide both a child-friendly and adult-friendly version of the privacy notice. This will give the consenting parent the information they need, and also help to inform and educate young children for the future and enable them to exercise their rights on their own behalf, should they wish to,’ the draft guidance says.
The ICO suggests that a privacy notice could be presented using diagrams, cartoons, graphics and videos that will attract and interest children. In an online context, dashboards, layers, just-in-time notices, icons and symbols may be useful.
‘In circumstances where you are directing an ISS (online service) at a particular age group, but are aware that children under your target age may wish to access your service, it is good practice to ensure that the younger child is made fully aware of the age limit of the site in language which is accessible and which they can understand. User testing may help you to assess this.’
This consultation closes on 28 February 2018. See https://ico.org.uk/about-the-ico/consultations/children-and-the-gdpr-guidance