ICO's Children's Code Strategy for 2024-2025

The Information Commissioner’s Office (ICO) has recently published its Children's Code Strategy for 2024-2025 which sets out the ICO’s priorities for protecting children's privacy online. 

The ICO's Children's Code Strategy develops further the Children’s Code which was introduced in September 2021. The Children’s Code required online services, including websites, apps, and games, to provide better privacy protections for children. 

The ICO's strategy for 2024-2025 focuses on social media and video-sharing platforms and lists the following priorities that such platforms must improve: 

1. Default Privacy and Geolocation Settings: Children's profiles must be private by default and geolocation settings must be turned off by default. This is to prevent misuse of location data that could compromise children's physical safety or mental wellbeing.
2. Profiling Children for Targeted Advertisements: Unless there is a compelling reason, profiling for targeted advertising should be off by default. This is to prevent potential financial harms where adverts encourage in-service purchases or additional app access without adequate protections.
3. Using Children’s Information in Recommender Systems: The ICO is calling on social media and video-sharing platforms to assess and understand the potential data harms to children on their platforms via recommender settings, and to take steps to mitigate them. For example, algorithmically produced content feeds may use information such as behavioural profiling and analysis of children’s search results. These feeds could result in unsuitable content including self-harm, suicide ideation, misogyny or eating disorders. The ICO also notes that recommender systems could lead to increased use of a platform by a child which in turn results in increased sharing of that child’s data with the platform.
4. Using information of children under 13 years old: Children under the age of 13 cannot consent to an online service processing their personal information; parental consent is required. Therefore, the ICO stresses the importance for platforms to consider how consent is obtained in practice and how age assurance technologies might be used to assess users’ ages and apply protections appropriately.

Our Views

Organisations processing personal data relating to children online should consider the priorities outlined by the ICO and take practical steps in line with the ICO’s Children’s Code Strategy to minimise the risks identified by the ICO.