ICO Warns Social Media & Video Platforms About Children's Privacy Practices

The Information Commissioner’s Office (ICO) announced on August 2, 2024 that it is putting on notice several major social media and video-sharing platforms to improve their handling of children's data privacy, following an ICO investigation that highlighted various areas of non-compliance with the UK’s Age Appropriate Design Code, also known as the Children's Code, for 11 out of 34 social media platforms (SMPs) and video sharing platforms (VSPs) as part of the ICO’s Children’s Code Strategy.

The investigation found issues related to transparency, data protection measures, and the use of algorithms that could expose children to inappropriate content, which has highlighted a need for these platforms to align with the standards set out in the Children's Code, which requires prioritizing the best interests of child users, the ICO has emphasized.

Emily Keaney, Deputy Commissioner, made the following statement:

There is no excuse for online services likely to be accessed by children to have poor privacy practices. Where organisations fail to protect children’s personal information, we will step in and take action. Online services and platforms have a duty of care to children. Poorly designed products and services can leave children at risk of serious harm from abuse, bullying and even loss of control of their personal information.

The "Age Appropriate Design Code" outlines standards for protecting children's data online and emphasizes that online services likely to be accessed by children must prioritize their best interests, offering high privacy by default, minimizing data collection, and avoiding harmful practices like profiling or using "nudge" techniques to encourage data sharing. 

The Code applies to various online services, including apps, games, and websites, and requires companies to conduct Data Protection Impact Assessments (DPIAs) to evaluate and mitigate risks to children’s data. 

In addition to this, the Code aligns with the UN Convention on the Rights of the Child and serves as a guideline to ensure compliance with GDPR and the UK's Data Protection Act 2018, and includes 15 standards designed to protect children's privacy and data online, as follows:

1. Best Interests of the Child: Prioritize the child's best interests in the design and development of online services likely to be accessed by them.
2. Data Protection Impact Assessments (DPIAs): Conduct DPIAs to identify and address risks to children's data privacy.
3. Age-Appropriate Application: Apply different standards based on the user’s age, or apply the highest standard to all users if age determination isn't possible.
4. Transparency: Provide clear, concise, and age-appropriate privacy information, with additional explanations at relevant points.
5. Detrimental Use of Data: Avoid using children's data in ways that could harm their well-being.
6. Policies and Community Standards: Adhere to your own published terms, policies, and community standards, especially those related to privacy.
7. Default Settings: Set privacy settings to high by default for child users.
8. Data Minimization: Collect and retain only the minimal amount of personal data necessary for the service.
9. Data Sharing: Limit the sharing of children's data to situations where it is necessary and in the best interests of the child.
10. Geolocation: Keep geolocation options off by default and make it clear to children when location tracking is active.
11. Parental Controls: Inform children when they are being monitored through parental controls.
12. Profiling: Keep profiling turned off by default, allowing it only if it is necessary and in the child's best interests with proper safeguards.
13. Nudge Techniques: Avoid using techniques that lead or encourage children to share unnecessary personal data or to weaken privacy settings.
14. Connected Toys and Devices: Implement protective measures for children's data when designing connected toys and devices.
15. Online Tools: Provide tools that are prominent and accessible to help children exercise their data protection rights.

The ICO has also clarified that the 11 SMPs and VSPs could face enforcement actions if they fail to make the necessary changes.