Last updated: May 15, 2023
The EU General Data Protection Regulation (GDPR) came into force in 2018 and the UK’s Children’s Code came into force in September 2021 which has a statutory footing that would inform a GDPR enforcement action, but a surprising number of online services are still not fully compliant. What does this mean for businesses globally? Data controllers and processors need to adhere to the regulation if collecting and storing personal data of EU and UK citizens including children. The regulation provides the same rights for children that all data subjects enjoy but with added protections. Violations result in hefty fines. The Children’s Code brings further enforceable requirements for industry. Here are our top tips to support your business to get in shape:
1. Know what personal data you process.
Do you know what you collect, where it comes from, and who you share it with?
Users must be informed about the personal data collected and how it will be used before its collected. Transparent notice is key to obtaining valid consent if you rely on consent. When your users are children, it is a requirement to provide age-appropriate information. Notice must be provided for each purpose that personal data is processed. It is not valid to seek blanket consent from a data subject by asking them for example to agree to “all our processing needs.”
2. Understand your data subject’s rights in regard to their personal data.
How well do you know the rights of your data subjects?
Data subjects have rights over their personal data. Children have enhanced protection and rights. It is key to understand these rights and ensure you have process in place to meet them. In particular a child has the right to be forgotten, do you have a process in place to manage this?
3. Verify role or age of minors.
How are you going to verify age according to the age of consent in each EU Member State?
If your service attracts children, you have a responsibility to verify age and seek a level of age assurance. There are a growing number of ways to do this and much industry discussion on age assurance vs age verification. It’s important to take this step or there could be implications for your business. Recent headlines such as the TikTok case in Italy highlight this.
Do you have a secure method of obtaining parent consent?
Meaningful parental consent and how to obtain it will depend on the sensitivity of the personal data collected and the level of risk to the child. Understand what you are collecting, and processing and the level of consent needed from the holder of parental responsibility. For low risk data a simple opt in might suffice but in some cases the parent will need to be verified at a higher level and with a greater level of assurance.
Do you understand your obligations for data breach notification?
A security information policy is key to storing personal data, but do you also have a data breach notification policy in place? What steps will you take in the event of a breach to investigate, inform and mitigate. These are key questions that need to be answered.
Review your app, website or other online service including to see if it adheres to the 15 standards in the Code. Ensure that you have a children’s privacy policy that is clear and understandable to your audience age group, there is a high level of privacy by default and geo location tracking is off.
PRIVO can support your app or site to ensure compliance and avoid violations. It’s not too late to get your service in shape. PRIVO's experience in the children's online privacy space and position as an influencer in the industry ensures the highest standards of support for your organization. Learn more about PRIVO's GDPRkids™ Privacy Assurance program.