Control measure: The privacy risks for children are considered before any profiling activities.
Risk: Without an appropriate assessment to determine the necessity of profiling children's information, there is a risk that the profiling is not lawful and will impact their rights and freedoms. This may breach recital 38 and article 22 of the UK GDPR.
Ways to meet our expectations:
- Assess whether profiling is essential to provide children with the service.
- Assess the impact to children's rights and freedoms of the profiling activities that are essential for you to provide your core service.
- Apply privacy settings that are 'on by default’ for all non-essential profiling.Options to consider:
- Complete a DPIA to assess the risks of each profiling activity.
Control measure: Age-appropriate information is provided at the point any profiling options are turned on to inform children what will happen to their personal information and highlight any risks inherent in that processing.
Risk: Without appropriate privacy information that informs children about all types of profiling activities taking place, there is a risk of 'invisible' profiling that may have a detrimental effect on the child and reputational damage to the provider. This may breach articles 5(1)(f) and 12 to 22 of the UK GDPR.
Ways to meet our expectations:
- Give age appropriate and timely information about the processing at the point that profiling takes place.
- Assess whether you need any additional age assurance measures, (eg depending on the age range of the child, at the point at which profiling is enabled).
- Apply separate privacy settings for each different type of profiling. Do not bundle different types of profiling together under one privacy setting.
- Apply a separate privacy setting for any behavioural advertising, except if this is your core service.
- Provide age-appropriate prompts to children to seek assistance from an adult and not to activate the profiling, if they are uncertain or don’t understand.
Options to consider:
- Provide focused or bite-sized privacy information relevant to each profiling activity.
- Provide information or explanations using graphics or visual content to support accessibility.
- Allow children to actively select their preferences, instead of profiling them.
Control measure: Profiling is only undertaken when there are appropriate measures in place to protect the child from any harmful effects (in particular, when being fed online content or behavioural advertising that is detrimental to their health or wellbeing).
Risk: Without adequate protections in place, there is a risk that profiling activities could cause harmful effects on children, such as further content suggestions or behavioural advertising. This may breach UNCRC article 16 and article 5 (1) (a), recital 38 of the UK GDPR.
Ways to meet our expectations:
- Implement measures such as contextual tagging, robust user reporting procedures, and elements of human moderation to your service.
- Continuously review new content streams or services, and the materials being suggested or provided, to ensure they remain age appropriate.
- Apply editorial controls over the content being displayed when profiling is done about what further online content to suggest to children.
- Operate a valid consent ‘opt in’ (for children under 13, from the parent or holder of parental responsibility) for any profiling you do for behavioural advertising that is not part of the core service that the child wishes to access.
- Ensure that if you collect a child's personal information for one purpose, you do not use it for another, following profiling activities.
Options to consider:
- Make sure you adhere to codes of conduct or other regulatory provisions (eg The Editors’ Code of Practice or the Ofcom Broadcasting Code).
- Make sure you adhere to the UK Code of Non-broadcast Advertising and Direct and Promotional Marketing (CAP code) when you target advertising through using personal information.
Control measure: Where cookies are used for the purposes of profiling children, PECR rules are considered for the cookie setting. The profiling activities that the cookie supports or enables comply with the UK GDPR and the code.
Risk: Without consideration of the necessity, proportionality, fairness and lawfulness of the use of cookies within the service, this may breach PECR, UK GDPR and the code.
Ways to meet our expectations:
- Consider whether the cookie is for essential or non-essential processing. Apply an appropriate privacy setting, if the cookie isn’t essential to provide the service that the child wants to access.
- Keep evidenced consent for the cookie, as well as a UK GDPR lawful basis for processing (in practice this may also be consent).
- Evidence that the cookies you use for age estimation or age assurance are essential for your service. If you use the cookie solely for this purpose, then the child does not need to consent to the cookie.
- Provide transparency information if you use non-essential cookies to track user interaction.
Options to consider:
- Refresh consent for non-essential cookies, particularly as children become older and more able to understand the risks.
- Provide focused or bite-sized privacy information relevant to each cookie.
- Provide information or explanations using graphics or visual content to support accessibility.