Social media and video-sharing giants are being urged to prioritise children’s online privacy or risk the wrath of global data regulators, amid a new warning that kids’ privacy must not be traded in the chase for profit.
The call comes as the UK Information Commissioner’s Office has set out its 2024-2025 priorities for protecting children’s personal information online and has signed a new international multilateral agreement with the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE) to cooperate in cross-border data protection and privacy enforcement.
Global CAPE members include the US, Australia, Canada, Mexico, Japan, the Republic of Korea, the Philippines, Singapore, and Chinese Taipei.
Since the introduction of its Children’s Code of Practice in 2021, the ICO has been working with online services including websites, apps and games to provide better privacy protections for children, ensuring their personal information is used appropriately within the digital world.
It maintains there has been significant progress and many organisations have started to assess and mitigate the potential privacy risks to children on their platforms.
The new Children’s Code strategy builds on the progress to date and sets out the priority areas social media and video-sharing platforms need to improve on in the coming year, as well as how the ICO will continue to enforce the law and drive conformance with the code by industry.
Commissioner John Edwards said: “Children’s privacy must not be traded in the chase for profit. How companies design their online services and use children’s personal information have a significant impact on what young people see and experience in the digital world.
“Seven out of ten children told us that they trust our Children’s Code to make the Internet better and safer for them. That’s why our determination to ensure online services are privacy-friendly for children is stronger than ever.
“I’m calling on social media and video-sharing platforms to assess and understand the potential data harms to children on their platforms, and to take steps to mitigate them.”
For 2024 to 2025, the Children’s Code strategy will focus on a number of areas, including:
– Default privacy and geolocation settings. The ability to ascertain or track the location data of a child creates risks, including potentially having their information misused to compromise their physical safety or mental wellbeing. This is why children’s profiles must be private by default and geolocation settings must be turned off by default.
– Profiling children for targeted advertisements. Children may not be aware their personal information is being collected, or that it can be used to tailor the ads they see. This may impact children’s autonomy and control over their personal information, and it could lead to financial harms where ads encourage in-service purchases or additional app access without adequate protections in place. Unless there is a compelling reason to use profiling for targeted advertising, it should be off by default.
– Using children’s information in recommender systems. Content feeds generated by algorithms may use information such as behavioural profiles and children’s search results. These feeds may create pathways to harmful content such as self-harm, suicidal ideas, misogyny or eating disorders. The design of recommender systems may also encourage children to spend longer on the platform than they otherwise would, leading to children sharing more personal information with the platforms.
– Using information of children under 13 years old. Children under the age of 13 can’t consent to their personal information being used by an online service, and parental consent is required instead. How services gain consent, and how they use age assurance technologies to assess the age of the user and apply appropriate protections, are important for mitigating potential harms.
Further cooperation with other UK regulators such as Ofcom and international counterparts will also be a focus for the ICO, as it aims to raise global data protection standards for the benefit of UK children.
Edwards added: “Children’s privacy is a global concern, and businesses around the world need to take steps to ensure children’s personal information is used appropriately so it doesn’t leave them exposed to online harms.”
Tech giants have been under increasing scrutiny to protect children on their platforms.
A third of all GDPR fines handed out to social media platforms are related to mishandling children’s data; three to TikTok, totalling €360m, and one for Instagram of €405m. Meanwhile, the ICO slapped the firm with £12.7m fine for a host of breaches of data protection law, including failing to use children’s personal data lawfully.
Related stories
Social media giants cough up €3bn for privacy failings
TikTok insists ‘we’ve changed’ following €345m EU fine
TikTok whacked with £12.7m fine for UK privacy failings
Clouds gather over TikTok: Do marketers give a toss?
ICO takes cautious approach as TikTok faces £27m fine
TikTok rocked by fresh claims of 18 violations of GDPR
‘Super-regulator’ puts TikTok, AI and adtech on notice