Skip to main content
Go back
Written by
UK Team
1st November, 2024

ICO research illustrates risk to children’s data  

The UK’s data regulator, the Information Commissioner’s Office (ICO) published new research this week on how children’s data is being misused online and announced that it has issued information notices to three companies suspected of failing to comply with the Age Appropriate Design Code. However, with warnings already issued against 11 companies, the ICO must go further to ensure that tech companies are held accountable for poor practices regarding children’s data. 

A black boy is sitting on a grey sofa, relaxed. He is wearing a yellow T-shirt and light brown cargo trousers. He is holding a smartphone horizontally and looking at it intently. You can see, to the right of the image, a black man who is out-of-focus in an open flannel shirt, looking at his own smartphone.

This week the ICO published damning evidence of how tech companies are placing the burden of data protection and privacy on children and their parents. Its Children’s Data Lives report revealed that: 

  • Tech companies are not supporting children to understand how their personal data is being used and have inaccessible privacy policies.  
  • Children are frequently sharing their personal data, yet they rarely see this as ‘data sharing’. Services disguise data sharing and incentivise children to hand over more data using gamification, colourful graphics and illustrations.  
  • Live location-sharing is the norm for many children and some platforms make this a prerequisite for using their service putting children at risk. 
  • The research found that the pressure continues to fall on parents to keep their children safe online.  

These findings demonstrate the widescale misuse of children’s data still going on three years into enforcement of the ICO’s Age Appropriate Design Code.  

5Rights recently called on the ICO to take stronger action against poor compliance with the Code which is putting children at risk of harm.    

In our response to the regulator we highlighted that, while the ICO had announced investigations into 11 services, it failed to name them. It is crucial that companies in breach of the Code are subject to much tighter scrutiny as a matter of public interest – in particular where digital services have failed to protect children’s privacy and safety. 

Subsequently, the ICO has announced that it has issued formal information notices against three online service providers – Fruitlab, Frog and Imgur – for suspected failures regarding a lack of privacy settings for children including geolocation and age assurance. We acknowledge the ICO’s steps against these three companies, but the regulator must go further.  

5Rights will continue to monitor the ICO’s action around the Code to ensure it is holding tech companies to account and protects children.