Children’s Data: A Comparison of the DPC and ICO’s Approaches
This briefing will compare the draft “Fundamentals for a child oriented approach to data processing” (the “Fundamentals”) recently released by the Data Protection Commission of Ireland (the “DPC”) with the Age Appropriate Design Code (the “AADC”) produced by the Information Commissioner’s Office in the UK (the “ICO”). The AADC was adopted in September 2020 and organisations have until 2 September 2021 to comply. See our briefing on the Fundamentals here.
The Fundamentals apply to both online and offline services that are directed at / intended to be accessed by children. The Fundamentals are broader than the AADC, as in contrast the AADC is focused on the privacy-by-design features that must be engineered into services used by children. Nevertheless, the Fundamentals are consistent with the AADC, in particular as the principle of the best interests of the child underpin both the AADC and the Fundamentals. Under the AADC the best interests of the child should be a primary consideration when developing online services likely to be accessed by a child. The Fundamentals have a broader reach in that the best interests of the child should be paramount in any decision making concerning the processing of children’s data.
Under both the AADC and the Fundamentals, organisations may choose to apply certain privacy standards to all users or they may take a risk-based approach to verifying users’ age to ensure the relevant standards are applied to the processing of children’s data. In contrast to the AADC, the Fundamentals state that a higher burden applies to technology and internet organisations (i.e. whose business models are predicated on deployment of digital and online technologies) in their efforts to both verify age and verify that consent has been provided by a parent / guardian.
Under the Fundamentals, organisations cannot rely solely on stating that a service should not be used by children below a certain age. If organisations provide such a service, they must take steps to ensure their age verification mechanisms are effective at preventing children below that age from accessing the service. If this is not possible, organisations must safeguard the position of users aged below and above the minimum age threshold.
The transparency requirements of the GDPR specifically mention children and it is therefore unsurprising that the Fundamentals and the AADC heavily emphasise this. Both provide that information should be presented to children in a clear, concise and accessible way. The Fundamentals also provide that children should be able to raise questions with organisations directly (e.g. via instant chat or a privacy dashboard) regarding the transparency of information they received. The Fundamentals do not contain specific recommendations for the type and detail of information that should be provided to different age groups, as is the case under the AADC.
The Fundamentals adopt a strong line in relation to profiling, namely that children’s data should not be collected to profile and target them with advertisements unless it can be clearly demonstrated how and why it is in the best interests of the child. The DPC recognise that although this should be easily implemented across services that target children specifically, it is more complex in “mixed use” internet environments. In those instances the DPC state that organisations must be able to identify and protect children or else implement a no-profiling policy. The Fundamentals state that there is a high burden of proof on organisations to show profiling is in a child’s best interests and that there will be a “very limited range of circumstances” in which it can be shown that this is a legitimate, lawful activity.
The ICO’s approach is also underpinned by the best interests principle. The AADC states that profiling for children should be defaulted off unless a compelling reason for having such option defaulted on can be demonstrated, taking account of the best interests of the child. The ICO emphasise that defaulting profiling off does not mean that profiling is banned. Rather, if steps set out in the AADC, such as effective consent, are followed, profiling can occur safely and fairly.
Organisations whose services fall within the scope of the Fundamentals should carry out a data protection impact assessment (“DPIA”) in respect of the different types of processing operations which are carried out on the personal data of children. The DPC state that the best interests of children must be a key criterion in any DPIA. A DPIA is mandatory for profiling children to target marketing or online services at them.
The AADC provides that a DPIA should be conducted to assess and mitigate risks arising from processing to the rights and freedoms of children who are likely to access a service.
Exercising data subject rights
The DPC states that there is no “magic age” at which children will be equipped to exercise data protection rights. The Fundamentals therefore provide that a child may exercise his / her data rights at any time as long as the child has the capacity to do so and it is in the child’s best interests. The DPC emphasise that children should also be able to be represented by an adult.
The AADC also does not set a certain age at which children should be able to exercise their data protection rights. Instead, the AADC states that children should be provided with accessible tools to exercise their rights and provides guidance to organisations on the types of such tools depending on the age of users.
Bake it in
The “Bake it in” fundamental incorporates a number of the AADC’s standards:
- Default settings – the Fundamentals and AADC provide that the highest privacy settings should apply to children. The DPC state that where default privacy settings are changed at the end of a user session, the setting should return to the default setting. The ICO take a different approach, stating that when users change their settings, they should be given a choice whether to change settings permanently or for the current session only;
- Data minimisation – both the Fundamentals and the AADC provide that only the minimum amount of personal data of children should be collected. The Fundamentals contain a higher standard than the AADC around reducing the level of granularity and accuracy of data types collected from children;
- Data sharing – the Fundamentals state that data should not be shared without clear parental knowledge, awareness and control. Children’s identity and contact details should not be made available to others without parental involvement. Limited audience selections should be the default setting for sharing and children should be informed of possible risks associated with sharing personal data. The AADC provides that children’s data should not be disclosed unless there is a compelling reason to do so, taking account of the child’s best interests;
- Geolocation – under both the Fundamentals and the AADC, geolocation should be defaulted to off unless, under the Fundamentals, the service is dependent on location data, or under the AADC, there is a compelling reason for not doing so. Any sharing of location data should be obvious to the child. The Fundamentals also provide that the accuracy of any geolocation data relating to children should be significantly reduced except where necessary;
- Parental controls – both the Fundamentals and the AADC provide that if parental controls are available, it should be visible to the child that a parent / guardian has sight of the child’s activity; and
- Nudge techniques – the Fundamentals and the AADC adopt the same approach to nudge techniques i.e. that nudge techniques should not be used to encourage children to provide unnecessary information or turn off privacy protections. It is permissible to use pro-privacy nudges where appropriate to do so.
The Fundamentals set out further requirements for organisations to adhere to that do not have a corresponding standard in the AADC. For instance, the Fundamentals provide that if a service is directed or likely to be used by children, an organisation cannot bypass its obligations by shutting out children or depriving them of a rich user experience.
The “Bake it in” fundamental as discussed above, also covers a number of areas not dealt with under the AADC. These include areas such as user choice, personal data breaches and security amongst others.
The AADC provides that children’s data should not be used in any way that has been shown to be detrimental to their wellbeing, goes against industry codes, regulatory provisions or government advice. The AADC also place a requirement on organisations to uphold their policies and community standards. There are no directly corresponding requirements in the Fundamentals.
Organisations should review any processing of children’s data and take steps to ensure compliance with the AADC and Fundamentals as applicable. Whereas the AADC has been adopted, the DPC has not set out a timeline for the adoption of the final version of the Fundamentals. While the content of the final Fundamentals may change depending on the response received to the DPC’s consultation it is important to note that the DPC has stated the final version will inform its approach to supervision, regulation and enforcement in this area. The DPC has also made clear it will be engaging with its obligations under Section 32 of the Data Protection Act 2018 to encourage organisations to draw up sectoral codes in this area.