Precautionary tales on children’s data in financial services

In a simple world, an organization would be able to take moderate measures to determine whether a customer is an age at which privacy regulations consider that person to be a child.

Based on that, they would follow one of two clear paths:

• If the data subject is a child: rely on parents or guardians for consent, data collection, and individual rights requests.
• If the data subject is not a child: interact directly with them on privacy matters.

In this simple world, regardless of the age of the data subject, most privacy activities (like data inventories, DPIAs, etc.) would remain the same. After all – privacy is privacy…. right?

At least one regulator says no.

Jump to:

• The ICO’s findings: A more complex picture
• Key areas of review for children’s financial data
• Trend summary and strategic recommendations

The ICO’s findings: A more complex picture

Recently, the United Kingdom’s (UK’s) Information Commissioner’s Office (ICO) has published results of a study it conducted focused on children’s privacy in the financial services industry that reveals a much more complicated picture – one that may represent multiple pitfalls for financial services organizations trying hard to do the right thing by parents and children alike.

Interestingly, the ICO’s focus on financial services is notable. While children can and do hold financial accounts, this sector is not typically associated with major privacy risks for children. The study did not focus on common concerns like lack of parental consent or unauthorized marketing. Instead, it highlighted more subtle issues such as:

• Clarity of privacy notices
• Handling of individual rights
• The inadequacy of a one-size-fits-all approach

There is also good news out of the ICO study. The ICO presented positive, privacy-sensitive findings as well as criticisms of the financial services industry.

Regardless, it will be useful for any company handling UK personal data to consider the ICO’s recent positive and negative findings as valuable insight into the privacy regulator’s focus, expectations, and probable future enforcement activity.

Key areas of review for children’s financial data

At a high level, the ICO study reviewed these topics across the financial services industry:

• Governance
• Transparency
• Information Use
• Individual Rights
• Age Verification
• Contact and Marketing
• AI and Automated Decision Making

The detailed findings in each of the above areas are important to read. At the same time, there are a few overarching trends that intersect with all the above areas and bear review. These trends come out with an overview of just the first few topics.

Governance

One factor the ICO considered was that of governance, which in this case translates to policies and procedures, proactive monitoring of compliance, and staff understanding/training of expectations related to children’s data handling.

The findings in the ICO’s study include:

• Most organizations provide general privacy training.
• Few offer training specific to children’s data.
• 69% have child-specific privacy policies.
• Only 67% monitor compliance with these policies.

The ICO therefore recommends that financial services organizations (and companies outside of the financial services industry) adopt policies and procedures specific to children’s privacy and regularly provide training specific to this topic.

Transparency

ICO findings about transparency issues are especially interesting. Rather than assuming that children have no agency on their own and that parents or guardians must assume responsibility for understanding privacy practices and taking action accordingly, the ICO takes seriously the idea that children are data subjects in their own right, and that they deserve a privacy notice that they can understand, appropriate to their age.

Specifically, the ICO reviewed whether financial institutions provided a child specific notice, and whether the language and content were appropriate for different ages.

The ICO found:

• About half of organizations provide child-specific notices.
• Only a quarter test these notices for comprehension.
• Some notices include extraneous information, which places unnecessary burdens on young readers

As a result, the ICO suggests that organizations not only provide notice versions designed for children but also provide different versions for different age children. The ICO proposes that just-in-time notices that present limited, in-context information, as well as notices that employ simplified language and graphics/diagrams/pictures/cartoons are two techniques that can help children understand the relevant content. Additionally, the ICO asks organizations to test notices on actual children to judge understandability.

Information Use/Consent

The ICO found that:

• Most organizations maintain a Record of Processing Activities (ROPA) and legal basis for processing.
• Only a quarter distinguish between processing children’s vs. adults’ data.
• Consent practices often fail to meet standards for being freely given and informed.

Moreover, the ICO called out problems related to a once-and-done perspective of consent, rather than a consent refresh cadence. That is, organizations initially obtained consent from a parent but did not obtain a similar consent from the child once that child became old enough to make their own decisions.

Individual Rights

The ICO had interesting comments about individual rights handling and children. At a high level, the ICO called out the fact that children are data subjects, and that data subject rights apply to children just as they do to adults, saying,

“Organizations cannot deny children their data protection rights. Even if a child is too young to understand the implications of their rights, they are still their rights, rather than anyone else’s such as a parent.”

Similarly, the ICO called out the complex interaction among a child’s competency to make requests, parental responsibility to function as an advocate for their child, and preventing parents from overreaching by requesting rights, such as access rights, without the child’s authorization or best interest.

As a result, the ICO suggests that organizations:

• develop child-specific procedures related to individual rights,
• consider each request individually,
• get a child’s consent for a parent’s request on behalf of that child, and
• ensure that they allow a child to request rights directly if the organization has also obtained consent or acknowledgement for privacy practices directly from that child.

Trend summary and strategic recommendations

As outlined in the overview above, the ICO’s findings and recommendations reveal clear trends concerning children’s privacy within the financial services sector.

The ICO considers children to be data subjects in their own right and places responsibility firmly on the shoulders of financial services organizations to provide children the clarity, mechanisms, and due process to help ensure that they can and do exert control over their privacy future. Moreover, ICO recommendations suggest that all organizations:

• Implement child-specific frameworks
  • Develop tailored notices, policies, procedures, and training.
  • Maintain child-specific ROPAs and consent processes.
• Adapt to the child’s development
  • View privacy as a continuum that evolves with the child’s age and understanding.
  • Provide multiple notice versions and refresh consent over time.
  • Strike the right balance between simplicity and robustness for children of different ages
• Personalize the privacy experience
  • Recognize that each child is unique.
  • Test comprehension and adjust processes accordingly.
  • Handle individual rights requests with flexibility and in the child’s best interest.

You might also like to read: