The Guidance reflects changes introduced by the Data (Use and Access) Act 2025 (DUAA) that are likely to impact an organisation’s use of children’s data. For example, the Guidance addresses the requirement that a controller must take account of children’s higher protection matters (the Higher Protection Matters) when processing data in the course of providing information society services (ISS) likely to be accessed by children (the Higher Protection Matters Duty). The three children’s Higher Protection Matters are:
- how children can best be protected and supported when using the services
- the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights
- the fact that children have different needs at different ages and at different stages of development.
The Guidance has been adjusted to:
- highlight specific requirements for ISS providers (as described above) throughout the Guidance
- highlight relevant ICO’s Age Appropriate Design Code (AADC) standards
- provide practical case studies and more best practice examples.
Amongst other things:
Data protection principles
The Guidance sets out the benefits of data protection impact assessments (DPIAs) and the need to take a data protection by design and default approach. It gives examples of child-friendly design measures. The AADC already includes DPIAs under its standard 2. If an organisation provides ISS that are likely to be accessed by children, it must take account of the Higher Protection Matters Duty. The ICO considers that if the organisation already complies with the AADC, it is likely to comply with the Higher Protection Matters Duty. Whilst the Higher Protection Matters Duty technically only applies to certain ISS providers, the ICO notes that it can be helpful for all organisations to consider the Higher Protection Matters when regularly handling children’s data.
Lawful basis
The Guidance sets out specific considerations when looking to rely on each lawful basis to process children’s personal data. For example, the Guidance highlights the need to assess a child’s capacity to understand what they are agreeing to when given consent. The request for consent must be clear, easy to understand and appropriate to the age of the child. The Guidance acknowledges that it may not always be possible to assess a child’s individual capacity so, in that case, it recommends considering their age and the complexity of what they are being expected to understand. The Guidance specifically addresses the minimum age for consent (13 years old) that applies to organisations offering ISS directly to children.
By way of further example, the Guidance considers reliance on the lawful basis of “performance of a contract” in relation to children. Where there are doubts as to the child’s capacity to enter into a contract, the Guidance clarifies that another lawful basis should be relied upon.
The Guidance confirms that children’s personal data can be processed when it is necessary for the purposes of a recognised legitimate interest, i.e. the purpose of processing meets one of five specified conditions (the new “recognised legitimate interest” lawful basis introduced by DUAA). The Guidance highlights the “safeguarding of a vulnerable individual” condition as likely to be particularly relevant.
The Guidance notes that more information on appropriate lawful bases for processing children’s data can be found in the AADC.
The lawful basis to process the personal data of children was recently considered in the context of an ICO investigation. Amongst other things, the ICO found that subject of investigation, an online platform, did not have a lawful basis to process personal data of children under 13. In February 2026, the ICO imposed a £14 million fine.
Direct marketing
The Guidance recognises that it is possible to use a child’s personal data for direct marketing purposes. However, the UK GDPR specifies that children merit special protection and some children may not understand the consequences of sharing personal data for marketing purposes. As such, the Guidance sets out recommendations to help to mitigate the risks (for example, avoid use of personal data for marketing, ensure data minimisation, avoid or limited data sharing, ensure effective transparency, implement effective storage and deletion policies).
Automated decision-making and profiling
The Guidance acknowledges that it is possible to profile or make automated decisions about a child. However, it is clear that children merit specific protection and that organisations should avoid profiling or carrying out automated decision-making regarding a child “wherever possible”. To the extent a controller does plan to carry out automated decision-making or profiling, the Guidance sets out actions that it must take and that it should consider. The Guidance recognises that even if decision-making is not “solely automated” or doesn’t have a legal or “similarly significant affect” on the child, automated-decision making or profiling may nonetheless raise particular risks for a child. The child may be more easily influenced than adults and may be less able to understand the consequences of profiling for advertising purposes, for example. The Guidance addresses specific considerations for providers of ISS likely to be accessed by children, particularly in relation to data protection by design and default requirements. As noted below, there will be more guidance on this area in the forthcoming statutory AI Code.
Sharing data
The Guidance is clear that extra care is required when sharing a child’s personal data and that the best interests of the child should be taken into account before doing so. A child’s personal data should not be shared unless the organisation has a “compelling reason to do so”, which is unlikely to include sale for commercial purposes.
Data protection rights
The Guidance clarifies that children have the same data protection rights as adults but that child-specific considerations apply. For example, the Guidance sets out how to consider the capacity of a child to exercise their rights, when another person can act on the child’s behalf, what information should be given to both the child and parent, and how it should be presented to a child.
The Guidance also highlights the need to take account of other related duties, for example, those under the UK Online Safety Act.
In its social media alert, the ICO encouraged organisations that use of children’s data to ensure that they have:
- reviewed use of children’s data, particularly for marketing, profiling and online services
- validated that DPIAs include child-specific risks and mitigations
- reassessed reliance on lawful bases, with particular consideration as to when there may be a power imbalance (for example in relation to consent)
- confirmed that transparency approaches are genuinely age-appropriate and easy to understand
- considered how privacy approaches align with online safety and platform design requirements.
It is clear that the protection of children remains a regulatory priority for the ICO, particularly in the context of recent fines and its May 2026 statement of expectations on effective age assurance: “companies that say their services are only suitable for those over a minimum age need to take effective action to prevent access by children under that age.”
Further context
The Guidance does not include an update to the AADC but it is understood that revisions will come at a later date. Any updates of the AADC must be laid before Parliament. The ICO is also working on a new statutory AI Code, that will include good practice on processing children’s personal data. The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026, requiring the ICO to develop the AI Code were passed in May 2026. The ICO has also indicated that it is engaging with the UK government to develop secondary legislation that will require the ICO to produce a new code regarding the processing of children’s personal data in educational technology (ed-tech). More detail on these developments (including consultations) are expected later in 2026.
The Brief Guidance is available here and the Detailed Guidance is available here.
