Transparency is arguably one of the most important principles of the GDPR. Without it, data subjects are unaware of how their personal data is processed, leading to a myriad of abuses and making it impossible for individuals to exercise their other rights under the law. Children are particularly vulnerable given they are more likely to lack the ability to understand, scrutinise and challenge the way their data is used. It is therefore not surprising that, according to a survey undertaken by the ICO, people ranked children’s privacy as their second biggest data protection concern (cyber security came first).
The extent to which companies protect the privacy of their underage users or consumers is increasingly subject to regulatory scrutiny and one of the key focus points is transparency. This is evidenced for example by the EUR750,000 fine that the Dutch data protection authority (DPA) imposed on TikTok on 22 July for failing to comply with its transparency obligations. You can find the decision here (Dutch language only). Specifically, the DPA found that TikTok acted in breach of its obligation to use clear and plain language by providing its users, who mainly consist of children, with information in the English language only. TikTok is appealing the fine, but the decision is an important reminder to companies to ensure that their privacy notice is appropriately worded for the intended audience.
Post-Brexit, the decision is less relevant for UK companies that only focus on the national market. However, it will still be very important for any UK (or other non-EEA) company that is caught by the extra-territoriality provisions of the EU version of the GDPR. In particular, any of those businesses offering services to children residing in the EEA should take note.
The DPA’s decision is part of a wider move to increase the protection of children online. In the UK, we have the Online Safety Bill which focuses, among other matters, on preventing online abuse of children. In addition, there is the ICO’s Children’s Code (the Code) which contains a large number of measures that companies should take to ensure that the privacy of children whose personal data they process is protected. This includes having default settings for the processing of children’s data that provide a high level of privacy protection, such as switching off behavioural advertising by default. The ICO has published a number of helpful resources relating to the Code, including a recent blog post focusing on the concept of the 'best interests of the child'.
The Code has a separate section on transparency which, like the Dutch DPA, stresses the importance of using clear and plain language. For example, companies should provide “bite-size” bits of information, as opposed to lengthy explanations. In addition, the use of diagrams, cartoons, graphics, video and audio content is encouraged. The Code came into force early September last year, but the ICO granted a one-year grace period which is coming to an end in barely a month's time, on 2 September 2021.
Which particular approach to transparency is appropriate will inevitably depend on the specific circumstances, including whether the service is targeted at very young children or teens who will have differing levels of “maturity” and understanding of data privacy and their rights. However, it is clear that companies can no longer adopt a one-size-fits-all approach to privacy notices if their audience consists, at least in part, of children. With the Dutch fine having been issued, and the ICO Children’s Code soon being in full force, these companies (both EU and UK) would be wise to revisit their notices to ensure they are sufficiently transparent and clear.
The Children's Code "will leave online service providers in no doubt about what is expected of them when it comes to looking after children’s personal data. It will help create an open, transparent and protected place for children when they are online "(Elizabeth Denham, UK Information Commissioner).