Regulators across Europe are dishing out fines to companies that are breaching the GDPR when it comes to their misuse of children’s personal information. Meta has received a rap on the knuckles to the tune of an eye-watering €405 million and it looks like large fines from both the UK’s ICO and the Irish data protection authority are on their way to TikTok. More are expected – the UK’s Information Commissioner John Edwards says he is investigating another 50 businesses he believes aren’t taking their responsibilities around child privacy seriously enough.
This heightened activity is worrying those who could do without a fine of up to 4% of their annual global turnover. If you’re wondering how you can make sure your organisation stays on the right side of the Children’s Code, read on.
Does my business need to comply?
The UK GDPR states: “children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data”. The Children’s Code translates the UK GDPR into 15 design guidelines that require online services to take the “best interests” of the child into account.
If you work in technology, it’s very likely that the code applies. Most online services used by children including apps, online games, streaming services, social media platforms, search engines, news websites, smart toys and other connected devices have to comply with the code. Counselling services are excluded, as are websites which do not allow people to buy products online or access an online service.
Online services do not even have to be designed for or targeted at children to fall within the code’s purview. If the service is deemed “likely to be accessed by children” within the UK, then the code still applies. That’s the case even if the company itself is based abroad.