Children's Privacy Policy

The Children's Privacy Policy defines mandatory privacy requirements for PII processing involving children, child-facing services, services likely to be accessed by children, and other processing activities where child PII requires enhanced safeguards. It applies across controller, joint controller, processor and subprocessor contexts, including websites, applications, games, educational services, online platforms, connected services, customer portals, learning environments, communities and support channels. The policy is designed to ensure that child PII is identified, governed, minimized, explained, protected and evidenced through safeguards appropriate to child-facing and child-accessible processing. A central feature of the policy is its reliance on existing PIMS evidence objects rather than separate child-specific registers. The policy requires child-facing status, child-access likelihood, purposes, PII categories, principal categories, recipients and retention references to be captured in REG02. Privacy risk screening and DPIA decisions are routed through REG04. Consent, parental authorization, withdrawal routing and consent receipt references are recorded in REG05 where applicable. Rights requests involving children are managed through REG06, child-friendly notice versions through REG07, processor and data-sharing restrictions through REG08, incident evidence through REG10, and audit, corrective action and improvement records through REG12. The policy provides detailed operational requirements for child-friendly transparency, consent, parental responsibility, minimization, retention, rights participation, privacy by design and disclosure control. Before collecting child PII, Process Owners or Business Owners must confirm that each PII category is necessary for the documented purpose and must define the minimum age-assessment data needed. Child-facing services must apply privacy-protective default settings for optional collection, visibility, sharing, personalization and communications. When child PII involves special-category, highly sensitive, location, biometric, behavioral, communications, educational, health or safety-related information, Data Protection Officer or Privacy Advisor review is required and recorded in REG04. The policy also addresses higher-risk scenarios such as profiling, behavioral analysis, personalization with significant effects, automated decisions, recommender functions, suspected misuse, harmful disclosure, unauthorized access, exploitation, grooming-related risk and other safety-related PII risks involving children. These matters are routed through privacy review, incident handling or corrective action processes using REG04, REG10 and REG12 as applicable. For suppliers, processors, subprocessors and data-sharing recipients, the Vendor / Procurement Owner must confirm documented child-related restrictions, instructions, confidentiality, return or deletion expectations and assistance obligations in REG08 before child PII processing is authorized. Governance and oversight are defined through quarterly evidence reviews, launch readiness checks, annual audits, exception handling, enforcement and annual policy review. The Privacy Lead / PIMS Manager coordinates evidence completeness and escalation across the relevant records, while Top Management approves the child privacy control approach and reviews systemic nonconformities. The policy supports audit-ready accountability by requiring monitoring metrics for child-facing processing activities, DPIA screenings, open notice or consent issues, processor and sharing issues, recurring nonconformities and corrective action effectiveness, all recorded in REG12 with source evidence from the applicable registers.