Data Protection isn’t child’s play – LEGO gives a masterclass in data privacy for children

The Information Commissioner’s Office has been very forthcoming about their desire to protect children within the digital world rather than from it. One in five UK internet users are children who access digital services daily on apps, games, socials and websites, where data is being collected on them (who they are, how they are using the service, how often, where etc). 

As screen time for children is dramatically increasing year on year, the implications are mind-boggling and bring a lot of ethical questions to the surface about how this data is gathered and used.

In September 2021, the ICO launched new rules governing how online services collect and use children’s personal data, known as the Children’s Code, which applies to UK-based companies and non-UK companies that process the personal data of UK children. Online services that collect children’s personal data need to design services that comply, and demonstrate they comply, with the GDPR and PECR, and must follow the Code’s 15 rules which you can find here.

During the creation of the Children’s Code and the Online Safety Code, the ICO consulted with various parties including LEGO. LEGO has long supported a separate and specific approach to processing children's data, built for children. This is a requirement of UK GDPR that contains provisions intended to enhance the protection of children’s personal data and to ensure that children are addressed in plain clear language that they can understand.

LEGO have fully embraced this with their online character Captain Safety. Captain Safety takes children on a journey to understand more about data privacy policy and cookies in order to stay safe and have fun. You can see the Captain’s online video on LEGO’s privacy policy here. As a result, children using LEGO may know more about data protection, privacy, cookies etc than their parents as we, as adults, are often guilty of skimming the small print. 

LEGO’s child-centric approach is far removed from others, including, for example, TikTok,  who were fined £296m in 2023 for breaching GDPR requirements by unlawfully processing the personal data of around 1.4 million child users. So, if you are processing children’s personal data, your approach should ensure privacy by design and by default, taking into account the age of the children and the personal data you will be processing from the outset. 

For a no-obligation conversation about data protection and how we might help, contact Prettys’ dedicated Data Protection and Privacy Team on e: dataprotection@prettys.co.uk or call 01473 232121.

Expert
Emma Loveday-Hill
Partner