Legal Alert: ODPC Releases Draft Guidance on Processing of Children’s Personal Data

The Office of the Data Protection Commissioner (ODPC) has published a draft Guidance Note on Processing of Children’s Personal Data and called for comments on the draft.

The Guidance Note aims to strengthen the protection of minors under the Data Protection Act. It is especially relevant for entities in education, healthcare, technology, media, and other sectors that interact with or collect data from children.
Key Highlights from the Draft Guidance
1.The Legislative Framework for Processing Children’s Personal Data
Organisations handling children’s personal data must be guided by the relevant legal instruments that safeguard children’s rights and privacy. In particular, data controllers and processors are required to comply with:
  • The Constitution of Kenya 2010
  • The Children’s Act, 2022
  • The Data Protection Act 2019 and attendant regulations
2. Data Protection Principles
Children’s personal data must be processed in line with the principles of data protection outlined in Section 25 of the Data Protection Act. These principles include lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and transfer limitation.
The Guidance Note further emphasises that data handlers must demonstrate accountability by implementing appropriate and effective safeguards, including:
  • Clearly informing parents or guardians about the risks associated with the processing of children’s data
  • Obtaining verifiable parental or guardian consent prior to data collection
  • Implementing robust age verification mechanisms
  • Establishing strong technical and organisational measures to protect children’s data
  • Enabling parents or guardians to exercise data subject rights on behalf of minors
  • Conducting due diligence when engaging third-party data processors
  • Providing regular training and awareness programs for staff
  • Carrying out periodic compliance audits
  • Performing Data Protection Impact Assessments (DPIAs) before initiating any processing activity involving children’s data

3. Lawful Basis for Processing Children’s Personal and Sensitive Data

Organisations must ensure that the processing of children’s personal and sensitive data is grounded in a lawful basis as required under the Data Protection Act, 2019. The primary lawful basis is informed parental or guardian consent.

Key considerations include:
  • Consent must be obtained from a parent or legal guardian after providing clear, accessible, and comprehensive information. At a minimum, the following must be disclosed before seeking consent:
    • The identity of the data controller or processor
    • The purpose of each processing activity
    • The types of personal data to be collected or used
    • Whether the data will be used for automated decision-making and, if so, whether there are mechanisms for human intervention
    • Whether the child’s data will be shared with third parties
  • Parents or guardians must not face any adverse consequences for declining to give consent.
  • In certain cases, data handlers may rely on other lawful bases provided under Section 30 of the Data Protection Act, such as performance of a legal obligation or protection of vital interests—provided these are appropriate and justifiable for the context.
  • Before collecting or processing any personal or sensitive data, the data handler must establish both:
    • A clear and legitimate purpose for the processing activity; and
    • A valid lawful basis to support the processing.
4. Age Verification and Consent
  • To ensure lawful processing of children’s personal data, data handlers must implement reliable and privacy-conscious age verification and consent mechanisms. The Guidance Note outlines the following expectations:
  • Data handlers must adopt appropriate tools and procedures to confirm whether a data subject is a child. These may include:
    • Requiring users to provide their date of birth
    • Requesting identification documents (e.g. birth certificates, school IDs)
    • Implementing age-gating mechanisms to restrict access to age-appropriate services
  • To ensure that consent is valid, data handlers must verify the identity and legal authority of the parent or guardian. Acceptable methods include:
    • Signed consent forms
    • Email verification
    • Submission of government-issued identification documents
    • Use of third-party verification services
    • Electronic signatures where applicable

 

  • All age and consent verification measures must be:
    • Proportionate to the nature of the data and the risk posed
    • Privacy-preserving, collecting only the minimum information necessary
    • Supported by a Data Protection Impact Assessment (DPIA) to evaluate and mitigate potential risks associated with the verification process

5. Exemptions to Parental Consent

While parental or guardian consent is generally required for the processing of children’s personal data, the Guidance Note recognises certain limited exemptions:

  • Exemptions under section 33 of the Data Protection Act: A data controller or processor that provides counselling or child protection services exclusively to a child may be exempt from the obligation to obtain parental consent.
  • Exemptions under the Children’s Act: Pursuant to Section 187 of the Children’s Act, 2022, parental or guardian consent may be waived in circumstances where the parent or guardian has abandoned or neglected the child or where consent is unreasonably withheld, thereby placing the child’s wellbeing or rights at risk
6. The Best Interests of the Child Principle
  • Under Article 53(2) of the Constitution of Kenya and Section 8 of the Children’s Act, 2022, the best interests of the child must be a primary consideration in all matters concerning children—including the processing of their personal data.
  • As such, data controllers and processors are required to prioritise and promote the best interests of the child in every stage of data collection, use, and storage. This includes:
  • Recognising and supporting the role of parents/guardians in safeguarding children’s welfare
  • Protecting children from exploitation and data misuse
  • Promoting the child’s physical, emotional, and psychological development
  • Respecting and nurturing the child’s individuality and emerging autonomy
  • Accommodating the needs of children with disabilities
  • To operationalise this principle, the Guidance Note recommends that data handlers carry out a structured Best Interests Assessment before initiating any data processing activity involving children. This assessment should:
  • Evaluate how the data processing activity supports or threatens the child’s rights
  • Examine the purpose, methods, and timing of data collection and how it affects children and their families
  • Assess the severity and likelihood of potential risks or harms
  • Develop a risk mitigation plan to safeguard children’s rights and enhance protective measures
  • The Guidance Note further encourages organisations to integrate Best Interests Assessments into routine Data Protection Impact Assessments (DPIAs) to ensure that children’s rights remain central to data governance practices.
7. Exercising Children’s Data Protection Rights
  • Children are entitled to all data protection rights under the Data Protection Act, 2019, including the rights to information, access, rectification, objection, erasure, restriction and data portability. However, these rights can only be exercised by a parent or legal guardian on the child’s behalf.
  • To ensure the protection and proper handling of these rights data controllers and processors must implement verification procedures to confirm the identity and legal authority of any individual acting on a child’s behalf.
8. Safeguarding Children’s Personal Data
  • Given the heightened risks associated with processing children’s personal data, data handlers must implement robust safeguards to ensure compliance with the Data Protection Act, 2019 and uphold the rights of minors.
The following measures are recommended:  
  • Apply the principles of Privacy by Design and by Default:
  • Privacy by Design involves embedding privacy considerations into the development of systems, services, and processes from the outset, with continuous risk assessments throughout the data lifecycle.
  • Privacy by Default ensures that only the minimum, necessary data is collected and processed. This includes clearly defining data requirements before processing, informing children and parents of data uses, and restricting processing to stated purposes only.
  • Use appropriate technical and organisational measures to protect both physical and digital records of children’s data from unauthorised access, loss, or misuse.
  • Define how long children’s personal data will be stored and ensure timely and secure disposal once the retention period expires.
  • Equip staff with knowledge of data protection principles and specific practices for handling children’s data securely and ethically.
  • Monitor and evaluate data protection measures regularly to identify gaps and improve processes.
  • Notify the Office of the Data Protection Commissioner (ODPC) in the event of any breach, particularly those affecting children, in accordance with legal requirements.
  • Prepare for potential incidents by outlining steps for containment, notification, investigation, and remediation.
9. Data Protection Impact Assessments
  • Before processing children’s personal or sensitive personal data, data controllers and processors are required to conduct Data Protection Impact Assessments (DPIAs).
  • DPIAs are essential where the intended processing is likely to pose a high risk to the rights and freedoms of children.
  • These assessments help identify and mitigate risks such as exploitation, profiling, psychological harm, or physical harm, and demonstrate compliance with the Data Protection Act, 2019 and its regulations.
10. Registration with the ODPC
  • Any entity that processes children’s personal data, whether as a data controller or data processor, must be registered with the ODPC as required under the Data Protection Act and the Data Protection (Registration of Data Controllers and Data Processors) Regulations.
11. Processing children’s data on social media platforms
Social media platforms must adopt privacy-forward design and responsible data practices when handling children’s personal data. Recommended measures include:
  • Conducting DPIAs before collecting or processing children’s data to evaluate potential risks and ensure appropriate safeguards are in place.
  • Embedding privacy by design and by default into platform architecture to ensure only the minimum data necessary is collected and processed.
  • Providing clear, accessible privacy notices for parents or guardians, detailing how data will be collected, used, stored, and shared.
  • Implementing age-appropriate privacy settings, such as defaulting to private profiles, limiting content visibility, and restricting data sharing unless explicitly authorised.
  • Limiting data collection to what is necessary and avoiding the collection of sensitive personal data from children unless strictly justified and lawful.
  • Applying robust technical and organisational safeguards including data encryption, pseudonymisation, and secure storage protocols.
  • Establishing data retention policies with clear timelines for automatic deletion or anonymisation of children’s data after the retention period lapses.
  • Running digital literacy and awareness campaigns to educate children and parents on data privacy, safe online behaviour, and how to manage personal data on social platforms.
12. Guidance for Parents where Children are Processing Personal Data Online
Parents and guardians play a vital role in protecting their children’s personal data in the digital environment. Practical steps recommended to enhance online safety include:
  • Verifying the child’s age during account creation to ensure the correct platform experience and compliance with minimum age requirements.
  • Utilising built-in parental controls and safety centres offered by most platforms to manage and monitor children’s use.
  • Customising privacy settings to limit who can access, contact, or interact with the child’s profile and content.
  • Enabling content filters to block harmful, inappropriate, or age-incompatible material.
  • Monitoring online activity regularly and guiding children on how to report or block harmful content or inappropriate interactions.
  • Engaging in ongoing conversations about online privacy, personal data security, digital boundaries, and the risks associated with oversharing (e.g., location, full name, school, age).
  • Encouraging responsible digital habits and fostering open communication so children feel safe to report concerns or seek guidance
Conclusion
Safeguarding children’s personal data is both a legal obligation and a moral responsibility. The Constitution of Kenya, the Children’s Act, and the Data Protection Act establish a robust framework to ensure that children’s rights are upheld in every aspect of data processing.
Organisations must ensure that their data processing activities are built around the principles of accountability, transparency, and the best interests of the child. This includes obtaining verifiable parental consent, conducting data protection impact assessments, implementing privacy-by-design measures, and maintaining strong technical and organisational safeguards.
If your organisation handles children’s data and you are unsure about how to implement these requirements effectively, you can reach out to us for more detailed guidance.
Let’s work together to protect children’s data—and their future.