The PDPC has issued advisory guidelines for organisations handling children’s personal data in the digital environment.

Insights

PDPC Issues Advisory Guidelines On Children’s Personal Data In The Digital Environment

Date
March 31, 2024
March 31, 2024
Author
OrionW

On 28 March 2024, the Personal Data Protection Commission (PDPC) issued the Advisory Guidelines on the PDPA for Children's Personal Data in the Digital Environment (Advisory Guidelines).  The Advisory Guidelines aim to protect personal data of children (i.e., individuals below 18), ensuring a safer online presence for them.

Application of the Advisory Guidelines

The Advisory Guidelines apply to organisations whose online products or services are likely to be accessed by children, regardless if they actually target children.  Examples of such online products or services include:

  • social media services;
  • technology-aided learning (EdTech);
  • online games; and
  • smart toys and devices.  

However, data intermediaries of such organisations should also comply with the protection and data breach notification requirements under the Advisory Guidelines.

Key Provisions of the Advisory Guidelines

The Advisory Guidelines provide that organisations should use age-appropriate language and media in communicating with children.  This means that notification of purpose and consent clauses, data protection policies and terms and conditions must be in a language that children can readily understand.

As regards obtaining consent for processing children’s personal data, the Advisory Guidelines confirm that a child between 13 and 17 years old may give valid consent where they understand the nature and consequences of an organisation’s policies on collection, use and disclosure of their personal data.  However, as there is no one-size-fits-all approach, organisations may also apply a higher age of consent if it is more appropriate to their business operations.  Notably, a child below 13 may not validly give consent and consent must be obtained from their parent or guardian.

The Advisory Guidelines also provide that a principles-based approach should be used to gauge the reasonableness of the purposes for collecting, using or disclosing children’s personal data.  Examples of reasonable purposes include age verification, protecting children from harmful and inappropriate content and directing children to safety information (e.g., to deter against self-harm).  In addition, the Advisory Guidelines remind organisations to practice data minimisation by collecting and using only the minimum amount of personal data needed for their purposes.

Because the Advisory Guidelines consider children’s personal data as sensitive personal data, they must be accorded greater protection.  For example, organisations and data intermediaries handling children’s personal data are encouraged to implement the ‘Basic and Enhanced Practices’ listed in the PDPC’s Guide to Data Protection Practices for ICT Systems to address potential risks and harms to children in the digital environment.

Conclusion

While they are not intended to be comprehensive, the Advisory Guidelines set out the key areas where organisations must exercise extra care to protect children’s personal data.  Organisations handling children’s personal data should therefore be mindful of and comply with the best practices listed in the Advisory Guidelines.  

For More Information

OrionW regularly advises clients on data protection matters.  For more information about how to comply with the Personal Data Protection Act 2012, or if you have questions about this article, please contact us at info@orionw.com

Disclaimer: This article is for general information only and does not constitute legal advice. 

 

Newsletter

Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.