Children are a significant part of the financial services’ customer base. The ICO have provided a review of children’s data together with a handy checklist.
The financial services sector is rapidly evolving, embracing new technologies, and catering to an increasingly diverse range of retail customers. Children represent a significant segment of the customer base. With the introduction of products such as junior ISAs, prepaid cards, and various account types tailored specifically for minors, the financial sector is recognising the importance of fostering early financial literacy and engagement. At the same time, the UK GDPR calls for specific protection for children with regard to their personal data, on the basis that they may be less aware of risks, consequences and their rights (Recital 38, UK GDPR).
The UK Information Commissioner’s Office (ICO) has reported on a timely and comprehensive review of how children’s personal data is processed within the financial services retail sector. Their review involved engagement with more than 40 organizations over 7 months last year and provides valuable insights, highlighting examples of good practice, as well as areas for improvement. The areas surveyed were governance, transparency, use of information, individual rights, age verification and marketing and communications.
Children’s financial products are a focal point for development for several participants in the ICO’s review, acknowledging that they represent future customers for the broader range of products and services offered.
Positive findings
The ICO’s review highlighted several positive practices within the industry. Among these, it is reassuring that robust age verification and data minimisation practices were demonstrated.
Age verification
Robust age verification processes are essential in the financial services sector, particularly when providing services to minors. They help prevent fraudulent activities and ensure that financial products are provided only to eligible customers. A high level of confidence in a young customer’s age also helps the financial institution ensure (and demonstrate) that appropriately clear language is being used. It also underpins how a valid consent may be collected and how requests to exercise data protection rights should be handled (e.g. when is it reasonable to rely on the child’s consent and when is parental involvement needed?). The ICO’s review reflected that different approaches may be taken on account opening depending on whether the account is held in trust for the child (e.g. junior ISA) or not. In the case of junior ISAs, the age of the “child” could be verified when they became active on that account, usually once they reached 16.
Data minimisation
Data minimisation is a key principle of data protection, and it involves collecting only the data that is necessary for a specific purpose. The ICO noted that 40% of participants collected special category data, which at first glance seemed surprising; where this related to children, it was limited to health data and was processed on the basis of explicit consent. The ICO noted (without comment) that participants justified collecting health information for the purpose of providing a better service based on needs or vulnerabilities. That appears consistent with the FCA’s Consumer Duty (see below). Some financial services companies surveyed noted that they may process criminal offence information about parents but this would only be for accounts in the parent’s name on trust for the child, e.g. a savings account.
Areas for improvement
Alongside positive findings, the ICO’s review also identified evidence of risks to compliance and several areas where improvements are needed. These areas include age-appropriate privacy policy wording, specific staff training on data protection for children, reviewing parental consent, and distinguishing between parents and children in marketing communications.
Age-appropriate privacy policy wording
The review revealed that under 50% of the organisations had privacy policies with language that was compliant with age-appropriate guidelines. Several organisations had passed the transparency obligation on to parents, expecting them to explain the privacy policies to their children. The ICO did not endorse this approach, suggesting that organizations should take responsibility for ensuring that their privacy policies are understandable to children. Significantly, the ICO acknowledged that the Age Appropriate Design Code (also known as the Children’s Code) is not directly applicable to the provision of financial services to children. The Code may still provide helpful guidance, nonetheless.
Specific staff training on data protection for children
Another area for improvement was the provision of specific staff training on data protection for children. The review found that less than 20% of the organizations surveyed provided such training. Given the unique considerations involved in handling children’s data, it is essential that relevant staff members are adequately trained to understand and address these issues.
Reviewing parental consent
The review highlighted the need for organisations to consider parental consent carefully as children grow older. Requests to exercise data protection rights in this context are infrequent, but care must be taken to avoid parents’ wishes unfairly superseding those of children. An example given in the ICO’s report was parents making an access request to see bank statements of their 14 year old who was responsible for their own spending. The ICO’s view was that providing the information to the parents would be unlawful sharing by the bank and that the 14 year old’s consent would be needed. Approaches varied, often depending on how organisations assessed a child’s competence to understand their rights. In several cases, decisions were based on a predetermined age limit rather than an individual assessment. This approach may need reassessment to ensure fairness and compliance.
Distinguishing between parents and children in marketing communications
Improvements were also needed around the distinction between parents and children in marketing communications. The review found that only 8% of organizations provided consent-based marketing to children. However, clear and distinct communication strategies must be developed to avoid targeting children with inappropriate marketing materials and to respect their data privacy.
Parallels with the FCA’s Consumer Duty
The FCA’s Consumer Duty framework requires firms to deliver good outcomes for all retail customers. The Duty includes outcomes that financial firms must achieve; amongst them ensuring that customers are provided with clear and understandable information and that they receive the support they need. A child, although not explicitly referenced, could certainly fit the description of a “vulnerable” customer under the Duty—someone who, due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care.
Conclusion
The areas identified for improvement in the review provide a helpful checklist for financial services providers organizations with younger customers in mind. The review also sheds light on some of the challenging nuance needed when providing services to children. When is a child competent to exercise their rights? Age ranges might appear a reasonable heuristic but what about when your customer is a precocious 8 year old? Or a less cognitively able teenager? When should requests by a parent for access to account transactions be resisted without the (minor) customer’s consent? How should firms go about demonstrably meeting both their data protection and financial regulatory obligations?
As the industry continues to evolve, it is important to ensure that its youngest customers are not left behind. With the Consumer Duty framework now in force, firms have plenty of reasons for shaping business models and communications to address the needs of younger clients, ensuring fair treatment and promoting good outcomes. By focusing on clear, understandable information and ensuring appropriate levels of care, the sector can better serve the mortgage borrowers and investors of the future.
|
Category |
Checklist |
|
|
Governance |
Do you have clearly defined policies and procedures for processing children’s personal information? |
☐ |
|
Are specific responsibilities for processing children’s data included in job descriptions? |
☐ |
|
|
Do you provide data protection training that includes specific content about children’s data? |
☐ |
|
|
Are you proactively monitoring compliance with policies and procedures? |
☐ |
|
|
Transparency |
Do you provide privacy information in a child-friendly manner using clear and plain language in a suitably engaging way, e.g. like cartoons, pictures, diagrams, or videos to convey key information? |
☐ |
|
Is the privacy information you provide limited to what is relevant and necessary at the time it is provided? |
☐ |
|
|
Do you maintain transparency as an ongoing process and provide supplementary information as needed? |
☐ |
|
|
Have you tested your privacy information on actual children to ensure they understand it? |
☐ |
|
|
Use of Information |
Do children (or their parents) have a genuine choice about how their personal information is processed? |
☐ |
|
Is data protection consent obtained separately from other terms and conditions? |
☐ |
|
|
Are you assessing the competence of children to understand what they are consenting to (where the child is consenting directly rather than the parent)? |
☐ |
|
|
Are you refreshing consent, especially when initially granted by a parent? |
☐ |
|
|
Are you providing regular reminders to children about their right to withdraw consent? |
☐ |
|
|
Data Protection Rights |
Have you developed and documented policies for handling requests involving children’s data? |
☐ |
|
Are you assessing each request on its own merits and acting in the child’s best interest? |
☐ |
|
|
Do your practices recognise that if a child is capable of providing a valid consent, they should be able to exercise their own rights? |
☐ |
|
|
Are you reminding children regularly about their rights and how to exercise them? |
☐ |
|
|
Are you seeking authorisation from a child (at an appropriate age) when a request is received from a parent? |
☐ |
|
|
Age Verification |
Do you have robust processes in place for verifying the age of children when an account is opened/when they become active on the account? |
☐ |
|
Contact (Including Marketing) |
Have you conducted a Data Protection Impact Assessment (DPIA) to assess high risks to children’s rights and freedoms when providing marketing to children? |
☐ |
|
Can you demonstrate that children are aware of and understand their information is being used for marketing purposes (if that’s happening)? |
☐ |
|
|
If so, can you also show children are aware of their right to object to profiling and marketing and know how to exercise this right? |
☐ |
Checklist based on the ICO’s review – please consult the report to access the comprehensive findings.
Disclaimer
This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2025.