• Privacy
  • Protect
  • Blog

Little people, Big data

Keeping children safe from harm is something we all should do naturally. But data relating to children is often overlooked and there are cases where companies have taken advantage of children, harvesting a great deal of data with neither the child nor their parents or guardians knowing.
Child Safety blog (1)

Child Safety Week is an annual community education campaign run by the Child Accident Prevention Trust (CAPT), acting as a catalyst for thousands of safety conversations and activities UK-wide. In this week’s blog we look at how to keep children’s data safe.

A new Human Rights Watch report published recently found that many countries did not protect children's privacy well enough when endorsing online learning products during COVID-19 lockdowns.

The report, called "How Dare They Peep into My Private Life?': Children's Rights Violations by Governments that Endorsed Online Learning during the Covid-19 Pandemic," examined over one hundred and fifty education technology products endorsed by 49 countries.

The report says that 89% of the education products seemed to use data practices risking or infringing children's rights. In many cases, the products harvest personal data such as who the children are, where they are, what they do in the classroom, who their family and friends are, and what kind of device their families can afford to use and so on. All without consent. In addition, many of the educational platforms use tracking technology that follow children outside of school.

In many cases, the children’s data is sent to advertising technology companies who use it to create behavioural advertising, risking distortion of children’s online learning experiences and impacting their opinions and beliefs in a way that could lead to manipulation.

In the UK, The ICO (Information Commissioner’s Office) defines a child as anyone under the age of 18. GDPR legislation contains provisions aimed at enhancing the protection of children’s personal data and to ensure that children are addressed in plain clear language that they can understand. Companies are urged to create ‘privacy by design’ and to take the child’s age into account in that design.

Sadly, despite the attempts to keep children’s data safe, there have been examples where their data has been compromised or misused. Here are a few:


YouTube attracts huge numbers of children and young people, apparently targeting young children with addictive programming. In a groundbreaking legal case, YouTube is accused of harvesting childrens’ data without consent from them, nor from their parents or guardians. The multi-billion pound claim, brought on behalf of up to five million British children aged under 13 and their parents and reported in 2020, alleges that YouTube’s methods of targeting underage audiences constitute major violations of the UK Data Protection Act and the EU’s General Data Protection Regulation (GDPR).

It has been alleged that YouTube has no effective age requirements and makes no real attempt to limit usage by young children. Owned by Google, YouTube claims not to target underage viewers but its popularity with British children is unrivalled even by mainstream TV channels. The UK media regulator Ofcom reported earlier this year that most children aged three years or over now watch YouTube at least once a week, and on average, for several hours.

Cornwall Council

Earlier this year the BBC reported that Cornwall Council had accidentally published the personal details of five school children which appeared in publicly accessible meeting documents. The data revealed included names, addresses and dates of birth and in one case, a teenager’s mobile number. The data loss also included email addresses and names of parents and highly personal extracts from court documents. As soon as it was discovered, the Council removed the information.

Breaching the MoD

In January this year, it was reported that the personal data of 4,142 children and families of serving UK forces personnel was exposed in a data breach. The data related to children attending Ministry of Defence schools, located in Belgium. An account was compromised and then used to send spam emails to users in its address book. Control of the account was regained and the MoD investigation didn’t find any data loss. But, this breach indicates how vulnerable people could be with potentially serious issues if carried out by sinister actors, particularly when impacting people in the armed forces.

Baby steps

The ICO has a 15 point ‘Age Appropriate Design Code’ that companies producing apps, websites, video games, social media and connected toys should comply with. Protection of personal data relating to children is a regulatory priority for the ICO. Despite that, with a series of data breaches and infringements of children’s data, a few steps can be taken to protect them.

If you’re responsible for children, make sure the settings in an app or internet channel are set so that the child is protected as far as possible. Use parental controls whenever you can. Those settings should be at the safest level by default, but worth checking.

Companies are encouraged to provide child-friendly tools to help children exercise their data protection rights and report concerns. Switch off geolocation to prevent tracking.

The main thing that can be done is to get children’s data erased from companies that don’t need it. An easy way to do that is to use Rightly Protect to work out which companies have your children’s data and issue an instruction to erase it to all of them in a single click.

Related Articles