Many readers may be reading this blog when a notification from their fitness tracker pops up instructing them to stand up. Children are now beginning to wear trackable devices too. These devices are connected to the internet and may process a child’s personal data. Many children have and use social media accounts and there is the additional digitization of health and school records, which increases the online data trail of a child.

The collection of children’s personal data is an area of concern for both the Children’s Commissioner and the ICO. The GDPR and the UK Data Protection Act 2018, therefore, require extra measures to be taken when children’s data is collected. In the UK, a child must be at least 13 years old in order to consent to the processing of their personal data. If the personal data of a child (below 13) is collected, a parent or guardian must provide consent or authorize the processing of such data. Additionally, organizations are to make “reasonable efforts” to verify such authorization, including any cookie consents.

Recently, there have been calls for organizations like toy manufacturers to be even more transparent about how they handle children’s data, for example, by specifying how a child’s data may be processed on the packaging of the product.

The ICO has commissioned a consultation into how the requirements relating to the protection of children’s data under the GDPR and the DPA are best implemented in practice with the aim of producing an Age Appropriate Design Code. This code will set design standards expected of producers/suppliers of web services and apps aimed at children.

The Information Commissioner may take these design standards into account when enforcing its regulatory powers. The consultation has now closed, but we will keep you updated of any developments in this area.