Today, one of the biggest threats to a child’s wellbeing is hidden in plain sight: how their data is collected, stored, and shared by the institutions meant to protect them.
This reality was highlighted at the 2nd Africa Child Online Safety Summit 2025, hosted by the Africa Child Online Safety Alliance (ACOSA). The summit, which gathered civil society, regional bodies, and private sector partners, investigated new dangers, regional cooperation, and practices to make digital futures for African children secure and trustworthy. At this summit, we presented the Data Protection Guidelines for Civil Society Organizations (CSOs), which is an important tool and its purpose is to guarantee that the organizations working with children’s information do so in a manner that is safe, ethical, and completely consistent with human rights principles.
What emerged from that session was a powerful reminder:
Compliance is not the ceiling, it is the floor.
Ethics is the ceiling.
Below are five essential data protection principles for CSOs, as highlighted in our guidelines:
1. Collect Only What You Need
Our work across Kenya has shown that CSOs often collect excessive data: photos, addresses, case files, simply because it is available. But every unnecessary piece of information becomes a liability, especially when it involves a child.
Amnesty guidelines emphasize minimal data collection: if you cannot clearly justify why you’re collecting it, don’t collect it. Collecting less is the first step toward reducing harm.
2. Treat Consent as a Safeguard, Not a Formality
True consent requires understanding, and children cannot fully grasp long-term digital risks. For CSOs working with minors, consent must involve age-appropriate explanations, guardian engagement, and true freedom to decline without losing access to essential services.
It is therefore pivotal for CSOs to input practical steps to ensure that consent protects the child, not just the institution.
3. Delete What You No Longer Need
In many organizations, children’s data is stored indefinitely “just in case.” But holding on to unnecessary data long after a program ends exposes children to long-term risks including stigma, re- traumatization, and even targeting.
Amnesty’s guidelines recommend clear retention and destruction of timelines. Data that no longer serves a legitimate purpose must be safely deleted.
ACOSA’s work across Africa has made one truth clear: child protection is impossible without strong data protection. As more countries adopt digital IDs, social protection platforms, biometric systems, school portals, and online child engagement tools, children’s data is being collected at an unprecedented scale.
CSOs often work directly with the most vulnerable children, those who have survived exploitation, abuse, or digital harm. Their information is extraordinarily sensitive and mishandling it can amplify the harm they have already endured.
Through this summit, we hope that digital platforms conduct human rights due diligence, transparency, accountability and make information accessible, easy to understand when it comes to making content for children. The guidelines serve as a practical roadmap for CSOs, empowering them to handle children’s data with integrity, respect, and responsibility.
And lastly, we echo these powerful words from Athena Morgan, Africa Regional Project Manager at the International Centre for Missing and Exploited Children (ICMEC):
We need to move from awareness to everyday digital life.
From parental responsibility to safety by design.
From Fragmented responses to regional cooperation
From imported solutions to Afrocentric inclusive approaches
From adults talking to intergenerational conversations.