The Information Commissioner’s Office (ICO) is calling on social media and video-sharing platforms to improve their data protection practices so children – and their data – are safer online.
Since the introduction of the children’s code of practice in 2021, the ICO has been collaborating with online services to create better privacy protections for children, aiming to ensure their personal information is used appropriately within the digital world.
In the UK and the EU, the digital world is held to a higher standard when it comes to the processing of children’s data, with stricter rules for personal data collections and transfers.
The ICO has said it has seen significant progress in this arena, with many organisations beginning to assess and mitigate potential privacy risks to children on their platforms.
The new Children’s code strategy builds on the progress to date and sets out the priority areas social media and video-sharing platforms need to improve on in the coming year, as well as how the ICO will continue to enforce the law and drive conformance with the code by industry.
“Children’s privacy must not be traded in the chase for profit. How companies design their online services and use children’s personal information have a significant impact on what young people see and experience in the digital world,” John Edwards, the UK information commissioner said.
“Seven out of ten children told us that they trust our Children’s code to make the internet better and safer for them. That’s why our determination to ensure online services are privacy-friendly for children is stronger than ever.
“I’m calling on social media and video-sharing platforms to assess and understand the potential data harms to children on their platforms, and to take steps to mitigate them.”
For the 2024 to 2025 strategy, the ICO has laid out four key priority points of focus for children’s online data protection.
1. Default privacy and geolocation settings
The ICO is recommending that companies make children’s profiles private by default and turn off geolocation settings on apps by default as well. The ability to track the location data of a child can create risk, including potentially having their information misused to compromise the child’s physical safety or mental wellbeing.
2. Profiling children to targeted advertisements
Children’s profile information should by default not be used for targeted advertising, the ICO says, “unless there is a compelling reason.” The stipulation that there is an exception to this rule could leave room to interpretation by major social media services and games used by children.
Children my not be aware that their personal information is being collected or that this is used to tailor the adverts they see. This may impact children’s autonomy and control over their personal information, and could lead to financial harms where adverts encourage in-service purchases or additional app access without adequate protections in place.
3. Using children’s information in recommender systems
The ICO plans to take special consideration of recommender systems which can steer users toward certain content, which for children may be considered harmful or inappropriate. These feeds, generated by algorithms, can create pathways to harmful content like self-harm, suicidal ideas, misogyny, or eating disorders.
The algorithms themselves may also lead children to spend more time on the platforms, causing them to share even more personal information.
Recommended reading
Restrictions on harmful content for children have come into effect via the Online Safety Act, and Ofcom is currently setting out guidance on how these rules will be rolled out and enforced. The ICO will play a role in this online safety regime by protecting children’s data online as well.
4. Using information of children under 13 years old
Children under the age of 13 can’t consent to their personal information being used by an online service, and parental consent is required instead.
The ICO plans to take into consideration how services gain consent, and how they use age assurance technologies to asses the age of the user and apply appropriate protections, are important for mitigating potential harms.
“Children’s privacy is a global concern, and businesses around the world need to take steps to ensure children’s personal information is used appropriately so it doesn’t leave them exposed to online harms,” Edwards said.
