In March 2024, Singapore’s Personal Data Protection Commission (PDPC) issued advisory guidelines regarding how regulators will apply the country’s Personal Data Protection Act (PDPA) to children’s personal data in the digital environment. The non-binding guidelines give clear insight into the regulators’ interpretation of the PDPA. What’s more, while of course local requirements vary significantly, for those operating outside Singapore these guidelines offer a good checklist for providing enhanced privacy protections for children’s data. These guidelines follow in a line of recent children’s privacy updates globally, including age-appropriate design codes like those in the UK, California, and Connecticut.
Here are some of the highlights from Singapore’s advisory guidelines:
- The scope includes products and services that children “access in reality.” The guidelines are not merely limited to products and services that are designed for and aimed specifically at children; it is not even limited to those that are “likely to be accessed by children,” though those services are front and center in the discussion. The guidelines expressly reach to all services “children access in reality,” including social media, EdTech, online games, and smart toys and devices.
- Children’s data is, by definition, sensitive data. Children’s data requires a higher standard of protection than non-sensitive personal data. Organizations should adopt a data protection by design approach to protect children’s privacy. Children’s data should not be public and searchable by default. The processing of children’s geolocation data should be disabled by default, and approximate location is preferred over precise location. Providers must also extend these heighten controls to vendors and other third parties that have access to children’s data.
- Consent is required. Parental consent is required for the collection, use, or disclosure of personal data from children under 13. Children between 13 and 17 can generally consent on their own, without parental oversight, but parents must consent where there is “reason to believe” that the child would not have a “sufficient understanding of the nature and consequences of giving consent.”
- Kids should understand disclosures. Disclosures should be in plain and simple language that children of any age can understand. Audio or visual aids within the disclosures can “support the child’s understanding.”
- Companies must have a “reasonable” purpose to process children’s data. The PDPA standard requires all collection, use, and disclosure of personal information to be limited to what a “reasonable person would consider appropriate in the circumstances.” For children, reasonable purposes expressly include—but are not limited to—age verification, preventing self-harm/suicide, and protecting the child from harmful or inappropriate content. On the other hand, it is expressly unreasonable to use a child’s data to target them with harmful or inappropriate content.
- Age verification or estimation is helpful for complying with the guidelines. The guidelines do not suggest any particular tools or techniques for age verification but make clear that organizations should process the minimum amount of data necessary to verify the age of the user. National identity documents are not required for age verification.
- DPIAs. Before a service or product is likely to be accessed by children, the organization should conduct a DPIA to identify and address children’s privacy risks. The guidelines provide a set of 15 questions that organizations should address as part of their child-focused DPIAs. These questions are useful to answer regardless of where a company operates.
Whether or not you operate in Singapore, it is clear that regulators around the world are targeting companies that collect, use, disclose, and store information about children. Singapore’s new guidelines offer a useful baseline that may be helpful to apply globally, outside of more highly regulated markets that require a more tailored approach.