# Children’s Data and Online Services: Practical Privacy Governance

Canonical URL: https://xpertdpo.com/childrens-data-online-services-privacy-governance/

Content type: Article

Published: 2026-06-25T15:11:33+01:00

Updated: 2026-06-25T17:57:05+01:00

Author: Philipa Jane Farley, Head of Legal and Operations

Summary: Children's data protection is not only a notice or consent issue. Online services, EdTech and digital products need age-appropriate governance, proportionate age assurance, careful profiling controls, DPIAs and reviewable evidence.

## Article

*This article accompanies Hour 6: Children's Data & Online Services in our full-day CPD programme on [XpertAcademy](https://xpertacademy.com/). Completion of the full one-hour session, including the related learning materials, contributes to the one-hour CPD certificate issued for that session. You can access the course here: [CPD Event A: Full-Day Regulatory Privacy Training](https://xpertacademy.com/cpd-event-a-regulatory/).*

 Children's data protection is often discussed as if the main question is whether a child or parent has clicked the right consent box. That is too narrow. In online services, games, apps, platforms, EdTech products, connected devices and learning tools, privacy risk is usually created by the design of the service, the defaults, the data flows, the profiling logic, the vendor model and the evidence the organisation keeps when decisions are made.

 Children are not simply small adult users. GDPR, UK GDPR and regulator guidance recognise that children may be less aware of the risks, consequences, safeguards and rights connected with personal data. They may also have less practical power to avoid a service, challenge a setting, understand a profile or resist a design choice that nudges them into more sharing. That matters for DPOs and privacy teams because children's data governance needs to be built into product, procurement and review, not bolted on at publication.

 This article is general guidance, not legal advice. It is intended to help DPOs, privacy teams, legal teams, boards and online-service owners ask better governance questions about children's data, especially where the service is likely to be accessed by children or is used in an education context.

> The practical question is not only "do we have a privacy notice?" It is whether the service is designed, evidenced and reviewed in a way that reflects children's rights, development and realistic ability to understand what is happening.

### Start with the child-specific risk

 The first governance step is to identify the children who may use or be affected by the service. A service may not be aimed at children and may still be likely to be accessed by them. A tool may be bought by a school or organisation and still process children's personal data through learning records, safeguarding notes, behaviour management, attendance, analytics, messaging, content recommendation or platform telemetry.

 The risk assessment should be specific about age range and context. A seven-year-old using a learning app, a thirteen-year-old using a social platform, a sixteen-year-old using an exam revision tool and a child in a safeguarding workflow do not have the same needs, expectations or autonomy. Age-appropriate design is not a slogan. It requires enough understanding of the likely users to choose the right default settings, transparency approach, controls and review route.

 For organisations with UK exposure, the ICO Children's Code sets 15 standards for online services likely to be accessed by children, including best interests of the child, DPIAs, age-appropriate application, transparency, default settings, data minimisation, data sharing, geolocation, parental controls, profiling and nudge techniques. For Irish and wider EU contexts, the DPC's Fundamentals for a Child-Oriented Approach to Data Processing are also important because they frame children's data protection as a child-oriented governance discipline, not a paperwork exercise.

 For governance teams, the task is to turn standards into evidence: who may be affected, what the service does with their data, what risks arise, what design choices reduce those risks, and who checks whether the controls remain effective.

### Age assurance must be proportionate

 Age assurance can be necessary, but it is not a magic answer. It can help a service tailor protections, restrict access where required, or apply different experiences to different age groups. It can also create new privacy risks if it collects too much information, uses intrusive methods, stores age evidence unnecessarily or becomes a profiling mechanism in its own right.

 The ICO's age assurance materials are useful because they keep the focus on necessity and proportionality. The service should consider the risks children face, decide whether age assurance is necessary, and select an approach that is appropriate to the risk. A low-risk service may not need the same approach as a service exposing children to higher-risk content, social interaction, behavioural profiling, location sharing or commercial pressure.

 The governance record should explain the chosen approach. Is the service using self-declaration, age estimation, third-party verification, account signals, school-managed access or another method? What information is collected, stored, converted into an age band, deleted or reused? Can adults and children understand what is happening? Has the organisation tested circumvention risk, exclusion risk and data minimisation? If biometric or highly intrusive methods are considered, the threshold for evidence and legal review will be higher.

 Age assurance should also be reviewed when a service expands, adds social features, introduces targeted content, changes its minimum age, moves into schools or begins using children's data for product development.

### Transparency has to work for children

 Privacy information for children should not be a simplified adult notice with a few shorter sentences. It needs to help children, parents and carers understand what information is collected, why, who receives it, what choices exist, what happens by default, and how to ask for help or exercise rights.

 That does not mean every child sees the same explanation in the same format. Younger children may need layered information, icons, videos or just-in-time prompts. Older children may need clearer explanations of profiling, recommendations, visibility, permanence and commercial use. Parents and carers may need parallel information where parental controls, consent, school decisions or safeguarding contexts are involved.

 The transparency test is practical. Could a child or parent understand the main consequences of the service without reading a legal document from start to finish? Does the interface explain key choices at the point they matter? Is the language accessible? Are privacy settings visible and usable? Are children nudged toward more sharing, wider visibility or weaker privacy? If an account is private by default, can the child understand what changes when that setting is altered?

 For DPOs, this is an evidence issue. It is not enough to say "the privacy notice has been updated". The record should show how the explanation matches the age range, user journey, setting, data use and rights route.

### Public case study: what LEGO gets right as a transparency example

 LEGO is a useful public example because its children's digital materials do not treat transparency as one long privacy notice. This is not a finding that every LEGO service is compliant in every jurisdiction, or that another organisation can copy its approach without analysis. The value is in the visible design pattern.

 On its LEGO Play digital safety pages, LEGO explains child-facing safety through concrete ideas: anonymous avatars and pre-moderated usernames, verified parental consent, moderation, a code of conduct, a safety pledge and reminders while children use the app. That matters because it connects privacy and safety to the child's actual experience. It does not ask the child or parent to infer the controls from a dense legal notice.

 LEGO's responsible engagement materials also frame digital play around children's rights, safe-by-design experiences, family digital literacy, children's participation, safeguarding and wellbeing by design. That is a stronger transparency model than a notice alone because it shows the wider governance choices around the service: what the organisation says it is trying to protect, how parents are expected to participate, and how the design is meant to reduce risk.

 There is also a useful product-data lesson. Some LEGO connected-product notices describe the kinds of data a connected toy may generate, such as battery level, Bluetooth connection and motor speed, and then explain whether that data is stored, where it is stored, whether an account or internet connection is required, and how access, retrieval or erasure works. For children's services and connected products, that level of concrete explanation is often more useful than general reassurance.

 The transferable point is not "be like LEGO". It is that good children's transparency should be layered, concrete and behaviourally useful. It should explain the service in the language of the journey: what the child can do, what the parent controls, what data is collected, what is not collected, what is moderated, what is stored, what is shared, what defaults apply and where a child or parent can get help. For DPOs, that kind of public explanation should map back to the DPIA, product design record, vendor assessment and safety controls. If the public explanation and the internal evidence do not match, the transparency is fragile.

### Profiling, personalisation and default settings need particular care

 Profiling and personalisation can support useful features. A learning platform may adapt tasks. A streaming or reading service may recommend content. A game may personalise difficulty. But when children's data is used to shape feeds, rank content, target advertising, predict behaviour, infer interests or drive engagement, the privacy risk changes.

 Children may not understand how a profile is built or how it affects what they see. They may also be more exposed to manipulation, compulsive design, harmful recommendations, financial pressure or loss of control over visibility and sharing. Regulator guidance is consistently cautious about children's data being used for marketing, personality or user profiles, targeted advertising and recommender systems.

 Default settings are therefore a governance decision, not a cosmetic product choice. High-privacy defaults, data minimisation, geolocation off by default, restrained sharing and profiling off by default unless justified are all practical safeguards. Where an organisation wants to depart from a protective default, the record should explain the reason, the risk, the alternative considered and the safeguards relied on.

 Product teams should also look closely at nudge techniques. If a design encourages a child to reveal more data, turn on geolocation, make a profile public, accept tracking, share with a wider audience or keep engaging when they would otherwise stop, that is not just a UX decision. It is a children's data governance decision.

### EdTech and online-service vendors need a clean role model

 EdTech privacy is a good example of why children's data governance cannot sit only with the privacy team. Schools, trusts, colleges, children's services and online-learning providers may all depend on third-party systems for learning, behaviour, safeguarding, assessment, administration, communication and analytics. The data can be sensitive, persistent and difficult for children to avoid.

 The ICO's June 2026 EdTech audit overview is a useful reminder of practical weak spots. It identified issues including role confusion between processor and controller status, insufficiently detailed contracts, incomplete data-flow mapping, weak minimisation and storage-limitation practice, inaccessible or outdated privacy information, and DPIA gaps. Those are not abstract compliance points. They are the foundations of whether a school, provider or service owner can explain what happens to children's data.

 Where a vendor is involved, the organisation should not accept "we are the processor" or "we are fully compliant" as the whole answer. The review should ask what purposes the vendor controls, whether children's data is used for product development or analytics, what subprocessors are used, whether international transfers arise, how support access works, whether telemetry is collected, and what happens when the contract ends.

 This is where vendor governance and legal characterisation matter. A clear controller, processor or joint-controller analysis should sit beside the contract, DPIA, transparency wording and operational controls. XpertDPO's guidance on [vendor oversight and legal characterisation](https://xpertdpo.com/vendor-oversight-and-legal-characterisation/) is relevant where online-service or EdTech responsibilities are blurred. If hosting, support access or subprocessors create international-transfer questions, the transfer analysis should connect to the same evidence record rather than sit in a separate folder; see also [Cross-Border Transfers for DPOs](https://xpertdpo.com/cross-border-transfers-for-dpos/).

### Parental consent is not the whole model

 Parental consent is important in specific contexts, especially where consent is the lawful basis for offering information society services directly to a child below the relevant age of digital consent. But it should not be treated as the whole children's privacy model.

 First, consent is only one lawful basis. Some processing may rely on contract, legal obligation, public task, vital interests or legitimate interests, depending on the facts and jurisdiction. The age of digital consent rules apply in a particular way where consent is being used for relevant online services; they do not mean that every item of children's personal data can only be processed with parental consent.

 Second, parental involvement does not remove the child's rights. Children have rights as data subjects. As they mature, their understanding, autonomy and ability to participate in decisions become more significant. In education, safeguarding and family contexts, the relationship between child rights, parental rights, school responsibilities and organisational duties can require careful handling.

 Third, consent is only valid if it is meaningful. If a child or parent has no real choice, cannot understand the processing, or is pushed through a bundled sign-up that hides optional data use, the consent record may not be doing the work the organisation thinks it is doing.

 The safer governance approach is to identify the lawful basis for each processing purpose, explain where parental consent or authorisation is required, keep verification evidence proportionate to the risk, and avoid treating parental consent as a substitute for child-appropriate design, minimisation, transparency and default controls.

### DPIAs should be child-specific and live

 For online services likely to be accessed by children, DPIAs should not be generic. The ICO Children's Code expects DPIAs to focus on the specific rights and risks of children using the service. That means the assessment should consider age, development, expectations, vulnerability, ability to understand, ability to exercise rights, design features, profiling, sharing, location, parental controls, safeguarding context and the consequences if the processing goes wrong.

 A child-specific DPIA should begin early enough to influence design and procurement. It should describe the service, data flows, purposes, affected children, vendor model, lawful bases, transparency approach, age assurance method, default settings, profiling logic, retention, rights route and residual risks. It should also record DPO advice where relevant, sign-off conditions and review triggers.

 Review triggers matter. The DPIA should be reopened when the service changes age range, adds social features, changes default visibility, introduces recommender systems, expands analytics, adds AI functionality, changes vendors, changes hosting or subprocessors, alters retention, starts using data for product development, moves from pilot to live use, receives complaints, or identifies evidence that children are using the service differently from expected.

 For board and legal assurance, the DPIA is only part of the evidence. Senior stakeholders need a clear view of what is approved, what is excluded, what uncertainty remains, who owns the controls and how the organisation knows the safeguards are working.

### A short governance checklist

 For DPOs and privacy teams, a practical review should be able to answer:

- Which children are likely to use or be affected by the service, and what age ranges are in scope?
- What child-specific risks arise from the data use, design, defaults, profiling, sharing, geolocation, vendor model or education context?
- Is age assurance necessary, proportionate and limited to what the service needs?
- Are privacy explanations, controls and rights routes usable by children, parents and carers?
- Are high-privacy defaults, minimisation, retention limits and profiling controls evidenced?
- Are controller, processor, joint-controller, subprocessor and transfer positions clear?
- Does the DPIA address children's rights and risks specifically, with review triggers and sign-off conditions?

 The checklist is deliberately short because the real work is not in the list. It is in the judgement trail behind each answer.

### How XpertDPO supports children's data governance

 XpertDPO supports organisations that need children's data protection work to become clearer, more evidenced and easier to govern. That may involve independent review through [DPO Support](https://xpertdpo.com/dpo-support/), board or legal assurance through [Board / Legal Privacy Assurance](https://xpertdpo.com/board-legal-privacy-assurance/), supplier and role-mapping review through [Vendor / Third-Party Privacy Governance](https://xpertdpo.com/vendor-third-party-privacy-governance/), or structured assessment through [DPIA Support](https://xpertdpo.com/data-protection-impact-assessment-dpia-support/).

 The aim is not to make every children's data issue heavier than it needs to be. The aim is to help organisations show that the service has been designed and reviewed with children's rights, expectations and practical experience in mind. That evidence is especially important where the service is used in schools, likely to be accessed by children, dependent on age assurance, built around profiling or personalisation, or reliant on a third-party provider.

 *This article is intended to support the learning covered in Hour 6: Children's Data & Online Services in our [XpertAcademy](https://xpertacademy.com/) CPD Event A programme. The relevant CPD certificate is issued for completion of the full one-hour session on XpertAcademy, rather than for reading this article on its own. You can return to the course here: [CPD Event A: Full-Day Regulatory Privacy Training](https://xpertacademy.com/cpd-event-a-regulatory/).*

### Sources

- Information Commissioner's Office, Age appropriate design: a code of practice for online services: [https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/)
- Information Commissioner's Office, Introduction to the Children's code: [https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/introduction-to-the-childrens-code/](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/introduction-to-the-childrens-code/)
- Information Commissioner's Office, Children's Code standard 2: Data protection impact assessments: [https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/2-data-protection-impact-assessments/](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/2-data-protection-impact-assessments/)
- Information Commissioner's Office, Age assurance for the Children's Code: [https://ico.org.uk/about-the-ico/what-we-do/information-commissioners-opinions/age-assurance-for-the-children-s-code/](https://ico.org.uk/about-the-ico/what-we-do/information-commissioners-opinions/age-assurance-for-the-children-s-code/)
- Information Commissioner's Office and Ofcom, Age Assurance joint statement, 25 March 2026: [https://ico.org.uk/media2/5ybpmabf/ofcom-ico-joint-statement.pdf](https://ico.org.uk/media2/5ybpmabf/ofcom-ico-joint-statement.pdf)
- Information Commissioner's Office, The Children's Code and education technologies (EdTech): [https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/the-children-s-code-and-education-technologies-edtech/](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/the-children-s-code-and-education-technologies-edtech/)
- Information Commissioner's Office, Edtech examined overview report, 24 June 2026: [https://ico.org.uk/action-weve-taken/audits-and-overview-reports/2026/06/edtech/](https://ico.org.uk/action-weve-taken/audits-and-overview-reports/2026/06/edtech/)
- Information Commissioner's Office, ICO statement on Edtech examined report, 24 June 2026: [https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/06/ico-statement-on-edtech-examined-report/](https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/06/ico-statement-on-edtech-examined-report/)
- Data Protection Commission, Fundamentals for a Child-Oriented Approach to Data Processing: [https://www.dataprotection.ie/sites/default/files/uploads/2021-12/Fundamentals%20for%20a%20Child-Oriented%20Approach%20to%20Data%20Processing_FINAL_EN.pdf](https://www.dataprotection.ie/sites/default/files/uploads/2021-12/Fundamentals%20for%20a%20Child-Oriented%20Approach%20to%20Data%20Processing_FINAL_EN.pdf)
- Data Protection Commission, Children's data and parental consent: [https://www.dataprotection.ie/sites/default/files/uploads/2023-04/DPC_ChildrensData_ParentalConsent.pdf](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/DPC_ChildrensData_ParentalConsent.pdf)
- Data Protection Commission, Data Protection Toolkit for Schools: [https://www.dataprotection.ie/sites/default/files/uploads/2024-12/DataProtection-ToolkitforSchools_EN_0.pdf](https://www.dataprotection.ie/sites/default/files/uploads/2024-12/DataProtection-ToolkitforSchools_EN_0.pdf)
- European Data Protection Board, Guidelines 05/2020 on consent under Regulation 2016/679: [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf)
- European Data Protection Board, Guidelines 8/2020 on the targeting of social media users: [https://www.edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf](https://www.edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf)
- European Data Protection Board, Guidelines 3/2025 on the interplay between the DSA and the GDPR: [https://www.edpb.europa.eu/system/files/2025-09/edpb_guidelines_202503_interplay-dsa-gdpr_v1_en.pdf](https://www.edpb.europa.eu/system/files/2025-09/edpb_guidelines_202503_interplay-dsa-gdpr_v1_en.pdf)
- EUR-Lex, Regulation (EU) 2016/679, GDPR: [https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng](https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng)
- LEGO, Building a Safe Digital Environment for Kids: [https://www.lego.com/en-gb/apps/play-app/digital-safety](https://www.lego.com/en-gb/apps/play-app/digital-safety)
- LEGO, Responsible Engagement with Children: [https://www.lego.com/en-us/sustainability/children/responsible-enagement-with-children](https://www.lego.com/en-us/sustainability/children/responsible-enagement-with-children)
- LEGO, UNICEF partnership and child online safety materials: [https://www.lego.com/en-us/sustainability/children/unicef-partnership](https://www.lego.com/en-us/sustainability/children/unicef-partnership)
- LEGO, example connected product Data Act Product Information Notice: [https://www.lego.com/en-gb/product/6×6-volvo-articulated-hauler-42114](https://www.lego.com/en-gb/product/6x6-volvo-articulated-hauler-42114)

## General Information Only

This article is provided for general information and does not constitute legal, regulatory, or professional advice. Data protection obligations depend on the specific facts, context, and jurisdiction involved. You should not rely on this content as a substitute for advice tailored to your organisation.

If you would like support with a specific issue, please contact us: https://xpertdpo.com/contact/