When it comes to protecting children online, we've seen a lot of regulatory smoke in recent years, but no flame. That's all set to change. The ICO has started to hold feet to the fire in announcing its intention to fine a social media platform £27 million for allegedly failing to protect children's privacy.
It's the first of a number of investigations to be concluded into companies providing digital services that haven't, in the ICO's initial view, taken child safety issues seriously enough. The ICO is also apparently looking at Children's Code compliance in over 50 other online services.
The ICO's investigation into the platform found that it may have:
- processed the data of under 13s without appropriate parental consent
- failed to provide information to its users in a concise, transparent and easily understood way
- processed special category data without legal grounds to do so
The ICO's findings are provisional and it will consider representations by the platform before taking a final decision.
What does this potential fine mean to my organisation?
Whilst the alleged breaches took place between May 2018 and July 2020 (i.e. before the Children’s Code went live), this regulatory action signals the start of a shift in the ICO's approach to protecting children online: from education to enforcement.
The action also forms part of a wider trend, as evidenced by the inquest into Molly Russell’s tragic death, as well as the legislative progress of the Online Safety Bill. Although the Bill stalled during this summer's political turmoil, the new PM assured the Commons in early September that her Government will be picking up the reins.
The trend continues to be international in nature with (for example) the US President highlighting the need to protect children online in his State of the Union address; and the bipartisan California Age Appropriate Design Code Act, modelled on the ICO’s Children’s Code, being signed into law this month. CNIL has also just published some recommendations on the vexed issue of online age verification as part of its work on the digital rights of minors.
So now's a good moment to take stock and work out whether you're caught by the Children's Code (the key question being: are your online services likely to be accessed by under 18s?) If you are, then you'll need to conduct a child-specific data protection impact assessment which will help you assess the risks and appropriate mitigations. For more information, see here.
I’ve been clear that our work to better protect children online involves working with organisations but will also involve enforcement action where necessary.