The National Privacy Commission Issues Guidelines on Child-Oriented Transparency

On 17 December 2024, the National Privacy Commission (“NPC”) issued NPC Advisory No. 2024-03, which provides for the Guidelines on Child-Oriented Transparency. 

These guidelines apply to all Personal Information Controllers (“PICs”) and Personal Information Processors (“PIPs”) involved in processing children’s personal data, whether in digital or physical environments. They also cover products and services either specifically designed for children or likely to be accessed by them.

Risk-Based Assessment for Child Data Processing

Adhering to General Privacy Principles

The processing of children’s personal data must align with fundamental privacy principles, with a particular emphasis on the Principle of Transparency. PICs must ensure that children are informed about the nature, purpose, and extent of the data processing activities, keeping in mind their age and the associated risks. This is where a risk-based, child-oriented approach becomes essential.

Child Privacy Impact Assessment (“CPIA”)

Before launching any product or service intended for children or likely to be accessed by them, PICs are required to conduct a CPIA. This assessment should be an ongoing process, regularly updated to account for changes in services, systems, or regulations. 

PICs must assess the necessity of involving parents or guardians, particularly when the risks to children are higher. Methods for securing and verifying parental involvement must be determined based on the level of risk.

Implementing Age Assurance Mechanisms

To ensure that only children of appropriate ages are subject to specific processing activities, PICs may need to implement age assurance mechanisms. These tools help determine the age range of users and ensure that processing practices are age-appropriate. PICs should recognize that relying solely on users’ self-declarations may be inadequate, especially for high-risk activities. Furthermore, the collection of personal data for age assurance must comply with privacy principles and be legally justified.

Enhanced Privacy Settings

PICs must also adopt a risk-based approach when determining and implementing privacy controls. This includes:

• High Privacy Settings by Default: Children’s accounts should have the highest privacy settings by default, including disabling geolocation services, setting profiles to private, and minimizing unnecessary data sharing.
• Easy Access to Privacy Settings: Children should be able to easily access, understand, and adjust their privacy settings. The options should be user-friendly, helping children manage their privacy preferences with minimal complexity.

Privacy Notice: Transparency in Data Processing

Clear and Accessible Privacy Notices

PICs must ensure that children are fully aware of how their personal data is processed. This involves presenting privacy notices in a manner that is understandable to the child, taking into account their age and evolving capacities. To do so, PICs should:

• Use simple language, making sure technical terms are defined and explained in a clear, child-friendly manner.
• Provide alternative formats such as videos, infographics, or audio recordings to ensure the privacy information is accessible and engaging for children.

Key Elements of a Privacy Notice

The Privacy Notice should clearly inform children about the following:

• Specific data processing activities
• Purpose of the processing
• Lawful basis for processing
• Potential risks and consequences of data processing
• Importance of privacy settings and how to manage them
• Data subjects’ rights and how to exercise them
• Updates or revisions to the Privacy Notice, if any

Type of Notice

PICs must create child-friendly privacy notices in addition to regular privacy statements, which shall avoid overly complex language while still providing all necessary information about data processing. At the point of data collection, PICs must also provide just-in-time privacy notices—a brief, clear notification about the processing activity, presented in a child-appropriate manner. 

Additionally, a layered approach to privacy notices can help break down complex information into digestible sections, guiding children to more detailed information as needed. This method ensures that children understand the immediate implications of data processing and can explore additional details if desired. Lastly, PICs must avoid using deceptive design patterns that may trick children into providing more data than necessary or compromise their privacy. 

Data Breach Notification Requirements

Notifying Children and Their Guardians

In the event of a data breach, PICs must notify affected data subjects, including children. When the affected individuals are children, the PIC must also inform the child’s parents or guardians. The notification should be delivered in a language that is simple and easily understandable for children, ensuring that both the child and their guardians are fully informed.

Even if the breach does not fall under mandatory notification guidelines, PICs are encouraged to inform children and their guardians to maintain transparency and protect the child’s privacy.

Accountability in Data Processing

PICs Are Accountable for Children’s Data

PICs are responsible for the processing of children’s personal data, including data processed by any third-party PIPs. In all actions, PICs must prioritize the best interests of the child. This includes adopting a risk-based and context-specific approach to:

• Determining suitable age-assurance mechanisms
• Tailoring content to children’s understanding
• Implementing appropriate security measures, privacy controls and safeguards

PICs must demonstrate accountability at all stages of the data processing activity, ensuring that children’s personal data are handled with care and transparency.