Navigating ICO guidance

Background

On 1 April 2025, the Information Commissioner’s Office (ICO) published its review on the use of children’s data in the financial services sector, highlighting good practices, risks to data protection compliance and areas needing improvement. This review followed the ICO’s engagement with various organisations within the sector. 

This article summarises some of the key findings from the ICO’s report and provides practical tips for financial services organisations to consider.

Purpose of the ICO’s review 

Children were identified by the ICO as a vulnerable group within its ICO25 strategic plan. The protection of children’s data is therefore a current priority for the ICO (and an area where we are likely to see more regulatory scrutiny in the future).

Children are also important customers for financial institutions, as they represent their future customer base. Children’s products are therefore a key area of development and focus for many organisations. However, the ICO’s review highlights the complexities faced by organisations from a compliance perspective when processing children’s data. 

Key themes and findings

We identified the following key themes from the ICO’s recent review:

(a) Lack of governance for ongoing compliance

It is evident from the ICO’s findings that many organisations treat compliance as a one-time exercise. In particular:

• the provision of privacy information for several organisations was often a one-time exercise and was not revisited as children aged and their understanding increased.
• where consent was used as a lawful basis, the consent was not kept under review – for example, if a parent initially provided consent on behalf of their child, such consent would likely become invalid as the child grows older and their ability to understand the processing for themselves increases. 

Organisations should ensure that they incorporate appropriate touchpoints in their product lifecycle for younger customers and assess appropriate intervals at which to seek refreshed consent (directly from the child) and remind children of their right to withdraw consent. 

(b) Challenges with transparency 

Whilst half of organisations reported having age-appropriate privacy information, the ICO found that (in reality) the number was lower. Several organisations were also found to pass their transparency responsibilities onto parents, which increased the risk that children are recorded as having agreed to terms and conditions and privacy information that they do not understand. 

To improve transparency for children, organisations should:

• Use clear language: Avoid industry jargon and use plain language (e.g., "ID verification" can be simplified to "confirming who you are").
• Limit content: Focus on what is relevant at the time (e.g., data is unlikely to be shared with HMRC if the account is available to children aged 11 and over).
• Provide ongoing transparency: Ensure transparency is continuous rather than a one-time disclosure.
• Engage with visuals: Use cartoons, pictures, diagrams, or videos to make information more accessible.
• Test for comprehension: Regularly test privacy information on children to ensure they understand it.

Unfortunately, it isn’t the case that organisations can simply amend their general customer privacy notice to make it more child-friendly. Organisations should also ensure that only relevant information is provided to children– this will likely involve creating supplementary notices and a product roadmap to understand when information on processing activities will become relevant.

(c) Assessing a child’s competence 

Children have the same data protection rights as adults under the UK GDPR. However, 88% of organisations lack processes to assess a child's understanding of these rights (the child’s so-called ‘competency’). 

It is important to note that there isn’t a “one size fits all” approach to assessing competency. Whilst setting an age limit could be a useful factor, the ICO is clear that this cannot be used to prevent children accessing their information rights unless there is good reason to think they are not competent. This means that organisations should focus on the nature of the request, rather than relying on a fixed age limit. 

(d) Marketing  

8% of participants provided marketing communications to children. However, whilst there is nothing in the UK GDPR that prohibits profiling or marketing to children, children’s data merits specific protection. Organisations should therefore undertake a DPIA to evaluate risk and consider their practices in this area (including ensuring that children understand how their data is used for marketing/profiling).

How TLT can help

It is clear from the ICO’s review that there are some significant improvements for organisations to make in order to comply with the UK GDPR in this area. However, there is also a real opportunity for financial institutions to differentiate themselves in the sector and to empower the data protection rights of children. 

The ICO’s review highlights that there are some challenges and complexities in this area and organisations in the financial services sector should review their current practices and processes in light of the ICO’s review. TLT’s Data Privacy and Cybersecurity team are extremely well-placed to support you with this review and any next steps - if you would like to talk to us in more detail, please do get in touch. 

Authors – Grace Roddie and Georgina Hands

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2025. Specific advice should be sought for specific cases. For more information see our terms & conditions.