On March 28, 2024, the Personal Data Protection Commission (PDPC) published Advisory Guidelines on the PDPA for Children's Personal Data in the Digital Environment.

In particular, the Advisory Guidelines highlight that they clarify obligations related to children's personal data under the Personal Data Protection Act (No. 28 of 2012) (PDPA) and read in conjunction with Chapter 8 of the PDPC's Advisory Guidelines on the PDPA for Selected Topics. More specifically, the Advisory Guidelines apply to organizations whose online products or services are likely to be accessed by children, including, for example:

• social media services defined by Section 45T of the Broadcasting Act 1994;
• technology aided learning (EdTech);
• online games; and
• smart toys and devices.

Privacy by Design and by Default

The Advisory Guidelines stipulate that when communicating with children, organizations should use plain and simple language, and avoid deceptive language or design. The organization can also consider using visual and audio aids to support the child's understanding.

Notably, children between 13 and 17 may give valid consent, when the policies on the collection, use, and disclosure of the child's personal data, as well as the withdrawal of consent, are readily understandable by them. This includes ensuring that the child understands the consequences of providing and withdrawing consent. However, where organizations have reason to believe that children do not have sufficient understanding, they should obtain consent from parents or guardians. Further, organizations must obtain consent from a child's parent or guardian when the child is below 13 years of age.

The Advisory Guidelines specify that the reasonable collection, use, or disclosure of a child's personal data include:

• collecting and using a child's personal data or profile for age assurance to ensure only age-appropriate content is accessible;
• collecting and using a child's personal data or profile to protect the child from harmful and inappropriate content; and
• using the behavioral data of a child, such as the use of high-risk search terms, including terms related to self-harm or suicide, to direct the child to relevant safety information.

Regarding age assurance, the Advisory Guidelines note the PDPC's support for the use of age assurance methods, including age verification or estimation methods, all while practicing data minimization. Organizations are not required to collect national identity documents for age assurance purposes. Regarding geolocation data, organizations are recommended to adopt data minimization practices, including disabling geolocation functions by default so that precise location data is not automatically collected when a product or service is first used.

Data security

Basic practices for protecting children's personal data include developing and implementing ICT security policies, and assessing and mitigating security risks in outsourcing or engaging external parties for ICT services. More enhanced practices include the use of one-time passwords (OTP), 2-Factor Authentication (2FA), or multi-factor authentication (MFA).

In addition, in the case of a data breach resulting in significant harm to individuals who are children, organizations must inform the affected data subject, even though a child. This notice to the child, where the organization does not have the contact details of a parent or guardian, must also be in a language that is readily understandable by the child.

Organizations are also recommended to conduct a Data Protection Impact Assessment (DPIA) to develop and implement policies and practices before releasing products and services likely to be accessed by children.

You can read the summary here and the Advisory Guidelines here.