children-privacy-notice

Children's Privacy Notice Design

Overview

Privacy notices directed at children must meet heightened transparency standards under GDPR Articles 12-14, UK AADC Standard 4 (Transparency), and COPPA Section 312.4. Article 12(1) GDPR requires that information be provided "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child." Recital 58 reinforces this by stating that given children's specific protection needs, any information and communication should be in such clear and plain language that the child can easily understand. This skill provides a comprehensive framework for creating privacy notices that children of different ages can genuinely comprehend and act upon.

Legal Requirements

GDPR Article 12(1) — Transparent Communication

"The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child."

GDPR Article 12(7) — Standardised Icons

"The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing."

GDPR Article 13 — Information at Point of Collection

Requires provision of: controller identity and contact details, DPO contact details, purposes and lawful basis, legitimate interests (if applicable), recipients, international transfer details, retention period, data subject rights, right to withdraw consent, right to lodge a complaint, whether provision is statutory/contractual/obligatory, and automated decision-making details.

UK AADC Standard 4 — Transparency

"Provide privacy information in a way that is suitable for the audience. The clarity, prominence, and language of information should be tailored so that a child is able to understand: what data is being collected, what it is being used for, and by whom."

COPPA Section 312.4 — Notice Requirements

Requires operators to post a clear, complete, and understandable online notice of information practices with respect to children, and provide direct notice to parents before collecting personal information from a child.

Age-Segmented Communication Framework

Segment 1: Pre-Literate and Early Readers (Under 8)

Cognitive Characteristics: Cannot read lengthy text. Understanding through images, simple icons, and verbal explanation. Concrete thinking — cannot grasp abstract concepts like "data processing" or "third parties."

Notice Design Principles:

• Primarily visual: use illustrations, animations, or short video clips (under 60 seconds)
• Use a character or mascot to guide the child through privacy concepts
• Maximum 5-7 words per visual frame
• Use concrete metaphors: "your picture" instead of "image data"; "your toys" instead of "your account information"
• Present privacy choices as simple physical analogies: "lock your diary" for private mode; "tell your friend" for sharing

Vocabulary Level: Maximum Year 2 reading level (UK) / Grade 1 (US). Short sentences (4-6 words). Common monosyllabic words.

Format: Animated walkthrough during onboarding; no separate document. Parent receives the full Art. 13 notice.

Example Content:

[Illustration: Character with a backpack]
"When you play here, we remember your name and your favourite games."

[Illustration: Character with a padlock]
"We keep your things safe. Only you and your grown-up can see them."

[Illustration: Character waving goodbye]
"Your grown-up can ask us to forget everything about you."

Segment 2: Primary School Children (8-11)

Cognitive Characteristics: Can read simple text. Beginning to understand cause and effect. Limited understanding of commercial motivations or institutional relationships. Concrete operational thinking — can understand rules but not abstract policies.

Notice Design Principles:

• Illustrated text with icons for each concept
• Short paragraphs (2-3 sentences maximum)
• Use "you" and "we" language consistently
• Explain "why" in practical terms: "We ask your age so we can show you the right games"
• Use interactive elements: expandable sections, hover-over definitions, quizzes
• Provide a summary version with option to "learn more" for each section

Vocabulary Level: Maximum Year 5 reading level (UK) / Grade 4 (US). Sentences of 8-12 words. Avoid passive voice.

Required Content Blocks:

Block	What to Communicate	Example Language
Who we are	Controller identity	"BrightPath Learning is the company that makes this app. You can email us at hello@brightpathlearning.eu"
What we collect	Data categories	"When you use our app, we learn: your name, your age, which games you play, and how you're doing in your lessons"
Why we collect it	Purposes	"We use this to: show you lessons that match your level, tell your parent how you're doing, and make our games better"
Who else sees it	Recipients	"Only you and your parent can see your progress. Nobody else can see it."
How long we keep it	Retention	"We keep your information while you have an account. When your parent deletes your account, we delete everything about you within 30 days."
Your choices	Rights	"You can: see everything we know about you, ask us to fix mistakes, ask your parent to delete your account"
How to complain	Supervisory authority	"If something worries you, tell your parent. They can also contact the people who check that companies follow the rules (the ICO in the UK)."

Segment 3: Secondary School Children (12-15)

Cognitive Characteristics: Can read and understand structured text. Beginning to think abstractly. Understands commercial relationships at a basic level. Peer influence is significant — privacy framing should include social context.

Notice Design Principles:

• Layered approach: headline summary, then expandable detail for each topic
• Use real-world examples and scenarios relevant to their experience
• Include a "so what does this mean for me?" section for each data practice
• Use infographics and flow diagrams for data sharing
• Address common questions directly: "Can my friends see my profile?" "Will I get ads based on what I do?"
• Include interactive privacy settings directly within the notice

Vocabulary Level: Maximum GCSE reading level (UK) / Grade 8 (US). Sentences up to 15 words. Technical terms permitted if defined immediately.

Structure:

1. One-Paragraph Summary (30 words): The essential message
2. Key Facts Table: Who, what, why, who else, how long — one row each
3. Detailed Sections: Expandable sections for each Art. 13 element
4. Your Privacy Controls: Direct links to privacy settings
5. Questions?: Contact details and complaint mechanism

Segment 4: Young Adults (16-17)

Cognitive Characteristics: Near-adult reading comprehension. Can understand abstract and legal concepts with appropriate framing. Developing autonomy — expects to be treated as a competent decision-maker.

Notice Design Principles:

• Standard privacy notice structure with plain language adaptations
• Use the adult privacy notice as the base but replace legal jargon with plain equivalents
• Include a glossary for any retained technical terms
• Address topics relevant to this age group: employment data, university applications, social media presence, financial data
• Respect their developing autonomy while noting parental involvement where required

Vocabulary Level: A-Level reading level (UK) / Grade 10 (US). Full sentences. Legal terms permitted with inline definitions.

Layered Notice Architecture

The ICO and EDPB recommend a layered approach to privacy information for all audiences, but this is particularly important for children.

Layer 1: Just-in-Time Notice (At Point of Collection)

Displayed at the exact moment data is collected. Must be:

• Visible without scrolling
• Maximum 2 sentences
• Includes the specific purpose for this collection
• Links to Layer 2 for more detail

Example (BrightPath Learning — game progress collection):

"We're saving your game score so you can see how you're doing over time.
Your parent can see your scores too. [Learn more]"

Layer 2: Summary Dashboard (Privacy Centre)

A visual summary of all data practices, accessible from a permanent link in the app navigation.

• Organised by topic (not by legal article)
• Uses icons and colour coding
• Each section expandable to Layer 3

Layer 3: Full Privacy Notice

Complete Art. 13 information in plain language. Available as a scrollable web page and downloadable PDF. Includes:

• All mandatory Art. 13 elements
• Version number and date
• Change history summary
• Contact details and complaint mechanism

Layer 4: Parent/Guardian Notice

Full legal privacy notice with all technical and legal detail. Sent directly to the parent via email at the point of parental consent. Includes:

• Full Art. 13 notice
• Art. 8 parental consent details
• Parental rights under COPPA (if applicable)
• Parental dashboard access instructions

Readability Testing

Automated Readability Metrics

Metric	Target for Under 12	Target for 12-15	Target for 16-17
Flesch-Kincaid Grade Level	4.0 or below	8.0 or below	10.0 or below
Flesch Reading Ease	80+ (Easy)	60-80 (Standard)	50-60 (Fairly Difficult)
Gunning Fog Index	6 or below	10 or below	12 or below
Average Sentence Length	8-10 words	12-15 words	15-18 words
Passive Voice Percentage	0%	Under 10%	Under 15%

User Testing with Children

Automated metrics are necessary but not sufficient. The ICO recommends testing notices with children from the target age group:

1. Comprehension Test: Show the notice to 10+ children in the target age range. Ask them to explain in their own words what data is collected, why, and what they can do about it. Target: 80% of children correctly understand the core messages.
2. Findability Test: Ask children to find specific information in the notice (e.g., "How do you delete your account?"). Target: 90% find the answer within 30 seconds.
3. Emotional Response: Ask children how the notice makes them feel. Target: children report feeling informed and in control, not anxious or confused.
4. Action Test: Ask children to change a specific privacy setting using the information in the notice. Target: 80% complete the task without assistance.

BrightPath Learning Inc. — Privacy Notice Implementation

Notice Architecture

BrightPath serves children aged 8-15 and implements the following notice structure:

For Children 8-11 (Illustrated Interactive Notice):

• Animated character "PathBot" guides children through privacy information during first use
• Each screen covers one topic (what we collect, why, who sees it, your choices)
• Interactive quiz at the end: "Can you remember what we do with your game scores?"
• Accessible from the main menu under a shield icon labelled "Your Privacy"

For Children 12-15 (Layered Summary with Expandable Detail):

• Privacy dashboard with icon-based summary cards
• Each card expandable to 2-3 sentence explanation
• "Deep dive" link to full notice section
• Privacy settings controls integrated directly into the notice

For Parents (Full Legal Notice):

• Sent via email at parental consent stage
• Complete Art. 13 / COPPA Section 312.4 notice
• Links to parental dashboard
• Available in PDF format for record-keeping

Content Inventory

Art. 13 Element	Children's Version	Parent Version
Controller identity (13(1)(a))	"BrightPath Learning made this app"	Full legal entity name, registration number, address
DPO contact (13(1)(b))	"If you're worried, tell your parent"	DPO name, email, postal address
Purposes (13(1)(c))	"We use your info to show you the right lessons and tell your parent how you're doing"	Detailed purpose descriptions with lawful basis
Lawful basis (13(1)(c))	Not applicable for child version	Art. 6(1)(a) consent (via parental consent under Art. 8)
Legitimate interests (13(1)(d))	Not applicable	Service security and fraud prevention
Recipients (13(1)(e))	"Only you and your parent see your info"	Hosting provider (AWS EU), no third-party data sharing
Transfers (13(1)(f))	Not applicable (no transfers)	Data stored within EEA; no third-country transfers
Retention (13(2)(a))	"We keep your info while you have an account. When you leave, we delete it"	Account data retained for duration of account plus 30 days. Activity logs retained for 90 days.
Rights (13(2)(b))	"You can see your info, fix mistakes, and ask to delete everything"	Full Art. 15-22 rights enumerated
Withdrawal (13(2)(c))	"Your parent can change their mind about letting us use your info"	Consent withdrawal via parental dashboard or email to DPO
Complaint right (13(2)(d))	"Your parent can complain to the privacy people"	Right to lodge complaint with ICO or relevant SA
Necessity (13(2)(e))	"We need your name and age to make you an account"	Statutory and contractual requirements specified
Automated decisions (13(2)(f))	"Our app picks lessons for you based on how you're doing — it's like a teacher choosing the next exercise"	Content recommendation algorithm based on learning progress; no legal or significant effects

Common Compliance Failures

1. Single adult-format notice for all ages: Providing the same legalistic privacy policy to adults and children violates Art. 12(1)'s requirement for child-specific language
2. Over-reliance on privacy policy page: Children rarely navigate to a separate privacy policy page; just-in-time notices are essential
3. Jargon in children's notice: Terms like "data processing," "legitimate interest," "third party," or "data subject" are incomprehensible to children under 15
4. No user testing: Creating a child-friendly notice without testing it with actual children in the target age range
5. Missing "so what": Telling children what data is collected without explaining how it affects them in practical terms
6. No visual elements: Text-only notices fail to engage children under 12 and do not meet AADC Standard 4 expectations

Enforcement Precedents

• TikTok (DPC Ireland, 2023): EUR 345 million fine included findings that TikTok failed to provide transparent and age-appropriate privacy information to child users, violating Articles 5(1)(a) and 12-13.
• Instagram (DPC Ireland, 2022): EUR 405 million fine included findings on lack of transparency about how children's data was processed, particularly regarding public-by-default business account settings.
• YouTube/Google (FTC, 2019): Settlement included requirement to provide clear notice about data collection practices on child-directed channels.

Integration Points

• GDPR Parental Consent: The notice to children operates alongside the notice to parents — both must be provided, with different content and format
• UK AADC Implementation: AADC Standard 4 provides detailed requirements beyond Art. 12, including testing with children
• COPPA Compliance: COPPA Section 312.4 requires both an online notice and a direct notice to parents with specific content requirements
• Age Verification Methods: The age verification result determines which notice version to display
• Children's Data Minimisation: The notice must accurately reflect minimised data practices — it is a compliance red flag if the notice describes extensive collection while claiming data minimisation