Time’s tikking for privacy notices aimed at children: TikTok fined in the Netherlands and the ICO’s Children’s Code nears the end of its grace period


Transparency is arguably one of the most important principles of the GDPR. Without it, the data subjects will not know how their personal data will be processed, which leads to a wide range of abuses and makes it impossible for individuals to exercise their other legal rights. Children are particularly at risk as they are more likely to lack the ability to understand, question, and question the way their data is used. It is therefore not surprising that, according to a survey by the ICO, children’s privacy was ranked as their second largest data protection concern (cyber security came first).

The extent to which companies protect the privacy of their underage users or consumers is increasingly subject to regulatory scrutiny, and one of the main focuses is transparency. This is evidenced, for example, by the fine of 750,000 euros that the Dutch Data Protection Authority (DPA) imposed on TikTok on July 22 for failure to comply with its transparency obligations. You can find the decision here (only in Dutch). In particular, the Data Protection Agency found that TikTok has violated its obligation to use clear and simple language by providing information only in English to its users, who are mostly children. TikTok is appealing the fine, but the decision is an important reminder for companies to ensure their privacy policy is worded appropriately for the intended audience.

After Brexit, the decision will be less relevant for UK companies that only focus on the domestic market. However, it will still be very important for any UK (or other non-EEA) company to fall under the extraterritoriality provisions of the EU version of the GDPR. In particular, all companies providing services to children residing in the EEA should be aware of this.

The DPA’s decision is part of a broader move to improve children’s online protection. The UK has the Online Safety Bill which, among other things, focuses on preventing child abuse online. Additionally, there is the ICO Children’s Code (the Code), which contains a variety of measures that companies should take to ensure that the privacy of children whose personal data they are processing is protected. This includes standard settings for the processing of children’s data that offer a high level of data protection, such as The ICO has published a number of helpful resources on the Code, including a recent blog post that focuses on the concept of “the best interests of the child”.

The Code contains a separate section on transparency which, like the Dutch Data Protection Authority, emphasizes the importance of clear and simple language. For example, companies should provide “bite-sized” information rather than lengthy explanations. In addition, the use of charts, cartoons, graphs, video and audio content is recommended. The code came into effect at the beginning of September last year, but the ICO granted a one-year grace period that ends in just under a month, on September 2, 2021.

Which particular approach to transparency is appropriate will inevitably depend on the specific circumstances, including whether the service is aimed at very young children or adolescents who have different “levels of maturity” and different understandings of data protection and their rights. It is clear, however, that companies can no longer take a unified approach to privacy notices if their audience is at least partially made up of children. Since the Dutch fine has been imposed and the ICO Children’s Code is about to come into force, these companies (both in the EU and UK) should double-check their communications to ensure that they are sufficiently transparent and clear.

The Children’s Code “will leave online service providers in no doubt what is expected of them when it comes to maintaining children’s personal data. UK Information Officer).