Keeping children's data safe

The average child spends more than four-and-a-half hours per day on electrical devices - and just 40 minutes outside, according to a survey. According to a report by Common Sense Media in 2019, children aged eight to 12 spent an average of nearly five hours per day using screens for entertainment purposes, and teenagers (ages 13 to 18) spent an average of over seven hours per day on screens. This includes time spent on activities like social media, video streaming, playing games, and other forms of online content consumption.

In another study by Statista, a statistics company, in 2022, children aged between four and 18 years in the UK spent an average of 114 minutes per day on TikTok, followed by 91 minutes per day on Snapchat. They also used Instagram for 30 minutes a day on average.

In 2021, around 60 percent of UK children between eight and 11 years old owned a smartphone, whilst thirty percent of children aged between five and seven had access to their own device. Mobile phones were the second most popular devices used to access the web by children aged between eight and 11, with tablets the most popular for users aged between three and 11.

Concerned parents

More parents than ever feel concerned about the risks posed to their children by their children’s online activity. Concerns about children’s data breaches are at an all-time high. But at the same time, parents are more likely to entrust younger children with greater digital independence - around 50% of 10 year olds now own a smartphone, compared to 30% in 2015.

The online presence of children and the collection of their data pose several significant dangers, including:

• Privacy concerns: Children may not fully understand the consequences of sharing personal information online, and this could lead to the disclosure of sensitive data, such as their full names, addresses, schools, or contact details. This information could be exploited by malicious individuals for identity theft, cyberbullying, or other harmful activities
• Cyberbullying and online harassment: When children share personal information online, they become vulnerable to cyberbullying and harassment from peers or strangers. This can have severe emotional and psychological effects on their well-being
• Online predators: Children's data can attract online predators who may use the information to groom or exploit them. Predators may pretend to be someone else to gain a child's trust and then attempt to meet them in person or coerce them into sharing more private information or explicit content
• Targeted advertising: Children's data is often collected to create targeted advertising profiles. Advertisers might use this information to manipulate children into making purchases or to influence their behaviour, which raises ethical concerns
• Data breaches: If the websites or online platforms where children's data is stored experience a data breach, their sensitive information could be exposed to unauthorised individuals, leading to potential identity theft or misuse
• Exposure to inappropriate content: Children may be exposed to age-inappropriate content, such as violence, explicit material, or harmful ideologies, when their data is used to customise online experiences
• Digital footprint: Information shared online can leave a lasting digital footprint that may impact a child's future opportunities, such as college admissions or employment, as prospective institutions and employers may review an applicant's online presence
• Addiction and overuse: Spending excessive time online, especially on social media and gaming platforms, can lead to addiction and impact a child's physical health, mental well-being, and academic performance.

To protect children from these dangers, it’s essential for parents and guardians to be proactive in supervising their online activities, educating them about online risks, and setting appropriate limits on screen time. Additionally, governments and technology companies have a responsibility to implement robust privacy policies and age verification mechanisms to safeguard children's data and online experiences.

Children’s rights

Under the General Data Protection Regulation (GDPR) of the European Union, children have specific rights regarding the processing of their personal data. The GDPR recognises that children are particularly vulnerable when it comes to the processing of their personal information, especially in the context of online services and so children’s data has additional protections and conditions. As a result, it provides certain protections and rights for children, which include:

• Parental consent: For children under the age of 16, the processing of their personal data is only lawful if parental consent has been obtained
• Right to information: Children have the right to receive clear and age-appropriate information about the processing of their personal data. This includes explanations of the purposes for data processing, the categories of data being processed, and their rights in relation to their data
• Access to personal data: Children, like adults, have the right to request access to the personal data that organisations hold about them. This allows them to be aware of and verify the lawfulness of the processing.
• Right to rectification: Children have the right to request the correction of inaccurate or incomplete personal data
• Right to erasure (Right to be forgotten): Children have the right to request the deletion of their personal data, especially when the data is no longer necessary for the purposes for which it was collected or when the data processing was based on consent
• Right to object: Children have the right to object to the processing of their personal data in certain circumstances, such as direct marketing or processing for legitimate interests
• Data portability: While less relevant for children, the GDPR also provides the right to data portability, allowing individuals (including children) to request and receive their personal data in a structured, commonly used, and machine-readable format
• Restriction of processing: Children can request the restriction of processing in specific situations, such as when the accuracy of their data is contested, or when they have objected to the processing.

It's important to note that while the GDPR grants these rights to children, there are specific considerations and safeguards that organisations must put in place to ensure the protection of children's personal data.

Sharing children’s data

According to GDPR, sharing children’s data should be avoided. Ideally, children’s data should only be shared when it’s overwhelmingly in their interest, such as for safeguarding purposes. If children’s data is shared with any third-parties, there should be due diligence checks to ensure that the children’s interests are protected.

Organisations that process children's data must implement appropriate measures to verify age and obtain parental consent when required. They should also design their privacy notices and practices with a child's understanding in mind, providing information that is easy for children to comprehend.

Children’s data and marketing

A big concern is in the use of children’s data, in particular how it’s being commercialised for use in advertising. Ofcom’s report shows that parents are increasingly concerned about the pressure on their children to make in-game purchases, for example.

GDPR does not necessarily prevent children’s personal data from being used for marketing purposes. But data collectors should be particularly careful. Data collectors should produce a DPIA (data protection impact assessment) if they are going to process children’s data for marketing to assess the risks posed to the child.

At the very least, the data collector must make it clear to the child that their data is being collected and used for marketing, and that they can ask for this processing to be stopped at any time.

Targeted advertising, which is often based on automated profiling rather than direct collection of data, is equally warned against by GDPR. Data profiling is largely an automated process, based on identifying patterns across enormous data sets. Data profiling of children is not banned by GDPR, even when it is used to make decisions about the user, such as what adverts to show them, unless that decision will have a legal or otherwise significant effect on the child. It is not clear what is included as a significant effect.

The advice from the ICO (Information Commissioner’s Office) to data collectors is that organisations should generally refrain from profiling children for marketing purposes, as children are particularly susceptible to behavioural marketing and so its use is exploitative.

Children are considered to have a double vulnerability because:

• they might not realise that their personal data (such as information on their hobbies, or their email address) will be used for marketing. So this purpose must be made clear and it must be made clear that the child can object to their data being used for marketing.
• they might not be able to critically assess the marketing content and may be more easily convinced to make unwise purchasing decisions. So the marketing content must not exploit this.There are also specific advertising standards for content directed at children, and online advertising must comply with these.

Social media

Social media platforms generally collect four main types of data; your registration details, your activity or interaction with the site, the content you upload, data from your devices including IP addresses, GPS, cookie data. They also purchase third party data.

Though most social media sites have minimum age limits, it’s clear that they have access to an immense amount of children’s data. Some is of course gathered from the older children that legally use the services. Some of this data is derived from adult (parent and family) users, by looking at the family photos they post, the behaviour on their devices that looks more like a child’s activity, the child-relevant apps, searches and purchases. Some of it is derived from younger children who have got around the minimum age limit.

This large pool of data means social media sites are easily capable of profiling children.

There have been several cases of parents raising concerns about the handling and harvesting of children’s data by social media sites. Youtube and Instagram have both had complaints raised against them. Youtube is accused of collecting data on younger children without parental consent, and Instagram of allowing children to publicly post their contact details.

Can organisations share children’s data?

Under GDPR and the UK Data Protection Act 2018, organisations can share children's data in the UK, but there are strict rules and conditions which must be followed to ensure the lawful and ethical processing of such data. Some of the lawful bases that could apply when sharing children's data include:

• Consent: If the child is old enough to understand the implications of data sharing (usually 13 years old or older), their consent can be a lawful basis for processing their data. However, if the child is younger, consent must be obtained from a parent or guardian
• Legal obligation: If there are legal requirements or obligations that necessitate sharing children's data, organisations can do so under the legal obligation basis
• Vital interests: In situations where sharing a child's data is necessary to protect their vital interests (e.g., for medical emergencies), organisations can process the data on this basis
• Contractual necessity: When data sharing is necessary to fulfil a contract with the child or their parent/guardian, organisations can rely on the contractual necessity basis
• Legitimate interests: Organisations may share children's data if they have a legitimate interest in doing so, provided that the child's rights and freedoms do not override those interests. This basis is often subject to careful consideration and assessment

When processing children's data, organisations have a higher level of responsibility and must take specific precautions to protect their privacy and ensure their safety. If an organisation is offering online services directly to children and processing their personal data for such services, additional requirements apply under the GDPR's "Children's Information Society Services" (CISS) provisions.

Organisations must comply with the Data Protection Principles, which include ensuring that the data processing is fair, transparent, and limited to the intended purpose. They should also maintain data security and only retain the data for as long as necessary.

In summary, organisations can share children's data in the UK, but it must be done with a lawful basis for processing and in compliance with the relevant data protection regulations, with particular attention to the protection of children's privacy and rights.

Protecting children’s data

Whilst the regulations remain inadequate and ambiguous, the answer is not as simple as cutting children off from the virtual world entirely. Of course children, and the adults that look after them, appreciate the convenience and leisure afforded by being online. We know that even older children struggle to fully comprehend the extent of data collection. Evidence suggests that good support (from schools, from parents) can make a significant difference to children’s privacy online.

Parental mediation through discussion and monitoring without being overwhelmingly restrictive, can be more empowering for children. The best way to raise children as conscientious and careful digital citizens is to educate them, so that they learn to protect themselves while reaping the benefits of technology.

Teenagers in particular, who are above the age of digital consent, should be properly informed about how their data is collected and used, and their rights under GDPR. But younger children too need to know how their data is collected, used and their right to view, correct, object to and erase that data. They should know that data is collected in ways you might not expect or notice and that it is incredibly profitable for the companies collecting it.

And parents should get clued up too! Ofcom’s report shows that parents are already on it - they’re now almost twice as likely as they were in 2018 to go online themselves for support and information on keeping their children safe.

Cleaning up the kids’ data

Out there in the wilds of the internet, there are hackers and scammers that prey on online data, including that belonging to children. And there are other kinds of predators that would buy access to that data if they could, maybe from the dark web where a hacker is offering reams of stolen data for sale to anyone with the cash.

Keeping your kids’ data safe is important and to keep it out of the hands of scammers, you can take steps to get it deleted from anywhere it’s no longer needed.

The best way to avoid having your children’s data stolen in a data breach is to make sure it’s not stored amongst any data that gets stolen. You can get their data deleted from any organisation that no longer needs it by using our Rightly Protect service. It’s quick, simple and free and will tell you just who has your data and give you the chance to instruct them to completely erase it, if that’s what you want to do.