On 28 March 2024, the Personal Data Protection Commission (PDPC) issued the Advisory Guidelines on the PDPA for Children's Personal Data in the Digital Environment (Advisory Guidelines). The Advisory Guidelines aim to protect personal data of children (i.e., individuals below 18), ensuring a safer online presence for them.
The Advisory Guidelines apply to organisations whose online products or services are likely to be accessed by children, regardless if they actually target children. Examples of such online products or services include:
However, data intermediaries of such organisations should also comply with the protection and data breach notification requirements under the Advisory Guidelines.
The Advisory Guidelines provide that organisations should use age-appropriate language and media in communicating with children. This means that notification of purpose and consent clauses, data protection policies and terms and conditions must be in a language that children can readily understand.
As regards obtaining consent for processing children’s personal data, the Advisory Guidelines confirm that a child between 13 and 17 years old may give valid consent where they understand the nature and consequences of an organisation’s policies on collection, use and disclosure of their personal data. However, as there is no one-size-fits-all approach, organisations may also apply a higher age of consent if it is more appropriate to their business operations. Notably, a child below 13 may not validly give consent and consent must be obtained from their parent or guardian.
The Advisory Guidelines also provide that a principles-based approach should be used to gauge the reasonableness of the purposes for collecting, using or disclosing children’s personal data. Examples of reasonable purposes include age verification, protecting children from harmful and inappropriate content and directing children to safety information (e.g., to deter against self-harm). In addition, the Advisory Guidelines remind organisations to practice data minimisation by collecting and using only the minimum amount of personal data needed for their purposes.
Because the Advisory Guidelines consider children’s personal data as sensitive personal data, they must be accorded greater protection. For example, organisations and data intermediaries handling children’s personal data are encouraged to implement the ‘Basic and Enhanced Practices’ listed in the PDPC’s Guide to Data Protection Practices for ICT Systems to address potential risks and harms to children in the digital environment.
While they are not intended to be comprehensive, the Advisory Guidelines set out the key areas where organisations must exercise extra care to protect children’s personal data. Organisations handling children’s personal data should therefore be mindful of and comply with the best practices listed in the Advisory Guidelines.
OrionW regularly advises clients on data protection matters. For more information about how to comply with the Personal Data Protection Act 2012, or if you have questions about this article, please contact us at info@orionw.com.
Disclaimer: This article is for general information only and does not constitute legal advice.
