Children’s Data – New Guidelines issued by the Singapore Personal Data Protection Commission (PDPC)

The issuance of the Advisory Guidelines on the PDPA for Children’s Personal Data in a Digital Environment (“New Guidelines”) is aligned with the Singapore government’s focus in recent years on the protection of children from online harms.

In particular, the New Guidelines highlight the following:

• Which businesses should be more aware when collecting children’s data: Organisations which offer social media services, technology-aided learning, online games and smart toys and devices are some examples of businesses which would come within the scope of the New Guidelines
• Communicating with children: Organisations should use simple language which children will understand when communicating with them (for e.g. when notifying them of the purposes for which organisations will collect, use and/or disclose their personal data and notifying them of data breaches)
• Obtaining consent: The PDPC has reiterated its views that children between the age of 13 and 17 may give consent of their own accord. However, depending on the business context, organisations should also consider if a higher age of consent is required (e.g. in an education setting) and obtain consent from the parents or legal guardians where necessary
• Age verification: Organisations are encouraged to verify or estimate the age of their users so that appropriate safeguards can be implemented to protect users who are children. Examples of such safeguards include the pushing of age-appropriate advertisements, reminding users to take breaks during gameplay and data minimization (e.g. considering if it is necessary to collect precise geolocation data from users)
• Conducting Data Protection Impact Assessment (DPIA): Where a new product or service is likely to be accessed by children, organisations are encouraged to conduct a DPIA first

Organisations collecting, using or disclosing children’s data should expect an increased scrutiny of their current practices.

We recommend that organisations working with children’s data start reviewing their existing policies and mechanisms and refreshing these where required in light of the New Guidelines.

The New Guidelines are available here. They are to be read together with existing guidelines on Data Activities Relating to Minors (Chapter 8 of the Advisory Guidelines on the PDPA for Selected Topics, available here.)