Briefly

Data Privacy in the Age of AI: NDPC Tasks Tech Developers on Building Secure Systems for Children

Briefly
Nigeria Data Protection Commissionpress_release
press_releaseNigeria·Nigeria Data Protection Commission·Briefly Analysis

Abstract

The Nigeria Data Protection Commission (NDPC) has intensified its focus on safeguarding children's data privacy in the burgeoning age of Artificial Intelligence (AI). This article examines the NDPC's recent directives to tech developers, urging them to integrate robust security measures and privacy-by-design principles into systems and platforms accessed by children. Drawing authority from the Nigeria Data Protection Act (NDPA) 2023, the Commission emphasizes the need for age-appropriate design, verifiable parental consent, and enhanced accountability from data controllers and processors. The NDPC's stance aligns with global best practices, such as the GDPR and COPPA, highlighting a proactive regulatory approach to mitigate the unique risks AI poses to minors' personal data, including profiling, harmful content exposure, and non-consensual imagery.

Introduction

The rapid advancement of Artificial Intelligence (AI) technologies presents unprecedented opportunities, yet simultaneously introduces complex challenges, particularly concerning data privacy. Among the most vulnerable demographics in this evolving digital landscape are children, whose personal data is increasingly collected, processed, and utilized by online platforms and AI-powered applications. Recognizing these escalating risks, the Nigeria Data Protection Commission (NDPC) has issued a clear mandate to technology developers: prioritize the creation of secure and privacy-centric systems for children. This directive underscores Nigeria's commitment to protecting its youngest citizens in the digital realm, aligning with global efforts to establish robust safeguards against potential harms.

Background

Nigeria's data protection landscape underwent a significant transformation with the enactment of the Nigeria Data Protection Act (NDPA) 2023, which replaced the earlier Nigeria Data Protection Regulation (NDPR) 2019. The NDPA 2023 established the Nigeria Data Protection Commission (NDPC) as the principal regulatory authority, tasked with safeguarding the fundamental rights and freedoms of data subjects as guaranteed under the 1999 Constitution of Nigeria. The Act provides a comprehensive framework for the processing of personal data, defining responsibilities for data controllers and processors, and outlining data protection principles such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

Crucially, the NDPA 2023 significantly expands protections for children's data, raising the age threshold for a 'child' to 18 years, in consonance with the Nigeria Child Rights Act where domesticated. It mandates specific consent requirements for processing children's personal data, recognizing their reduced capacity to understand the risks involved. The NDPC, as the successor to the Nigeria Data Protection Bureau (NDPB), is empowered to enforce compliance, investigate breaches, issue warnings, and impose administrative fines, thereby playing a pivotal role in shaping data processing practices across various sectors.

Analysis

The NDPC's recent emphasis on securing children's data in the age of AI is a direct application of the NDPA 2023's principles and a response to emerging technological threats. The Commission, in collaboration with the Federal Ministry of Communications, Innovation and Digital Economy, has convened high-level stakeholder engagements to foster a safer digital environment for children. Key among the NDPC's tasks for tech developers is the imperative to adopt a 'duty-of-care' model, integrating privacy-by-design principles from the initial stages of system development. This approach requires developers to embed data protection safeguards into the core architecture of AI systems and online platforms, rather than treating them as afterthoughts.

Furthermore, the NDPC stresses the need for robust age-verification mechanisms and verifiable parental consent for the processing of children's data, particularly for online services. This aligns with international standards such as the European Union's General Data Protection Regulation (GDPR), which mandates parental consent for children below a certain age (ranging from 13 to 16, depending on the Member State) when offering information society services. Similarly, the Children's Online Privacy Protection Act (COPPA) in the United States requires verifiable parental consent for the online collection of personal information from children under 13.

The Commission has also highlighted the risks posed by AI-generated content, particularly non-consensual imagery and defamatory materials, which disproportionately affect children and vulnerable groups. Nigeria's recent endorsement of the "Joint Statement on AI-Generated Imagery and the Protection of Privacy" underscores its commitment to addressing these specific AI-related privacy abuses. This global initiative calls for strong safeguards, transparency, effective content removal mechanisms, and full compliance with data protection laws from organizations developing and deploying AI tools. The NDPC's National Commissioner, Dr. Vincent Olatunji, has consistently advocated for greater accountability from platform providers and the strengthening of legal awareness to navigate the complexities of AI.

Another critical aspect is the requirement for Data Protection Impact Assessments (DPIAs) for processing activities likely to result in a high risk to data subjects' rights and freedoms. Given the inherent complexities and potential for harm associated with AI processing of children's data (e.g., for profiling or targeted advertising), such assessments become indispensable. The NDPC expects tech developers to conduct thorough DPIAs, maintain clear privacy policies articulated in child-friendly language, and appoint Data Protection Officers (DPOs) to ensure internal compliance.

Conclusion

The Nigeria Data Protection Commission's proactive stance on safeguarding children's data privacy in the age of AI signals a clear regulatory expectation for tech developers operating within or targeting the Nigerian market. Practitioners must advise clients to move beyond mere compliance checklists and adopt a holistic, ethical approach to data governance, with the best interests of the child at its core. This includes embedding privacy-by-design, implementing robust age verification and parental consent mechanisms, conducting comprehensive DPIAs, and ensuring transparent, child-friendly communication regarding data practices.

The increasing integration of AI into daily life necessitates continuous vigilance and adaptation from both regulators and industry. Legal professionals should closely monitor forthcoming NDPC guidelines and enforcement actions, as the Commission is poised to actively enforce the NDPA 2023's provisions concerning children's data. The call for secure systems for children is not merely a regulatory burden but an opportunity for tech developers to build trust and foster a responsible digital ecosystem for the next generation.

Citations

  1. 1.Nigeria Data Protection Act 2023
  2. 2.Children's Online Privacy Protection Act (COPPA)
  3. 3.General Data Protection Regulation (GDPR)
  4. 4.The Guardian Nigeria News, "FG, NDPC to create safer digital environment for children" (June 10, 2026)
  5. 5.Punch Newspapers, "Nigeria signs global pact to tackle AI privacy abuse" (March 05, 2026)
  6. 6.BusinessDay, "Data protection, security, trust critical to Nigeria's AI future - stakeholders say" (June 17, 2026)
  7. 7.The Future of Privacy Forum, "Nigeria's New Data Protection Act, Explained" (June 28, 2023)
  8. 8.KPMG International, "Nigeria Data Protection Act 2023 Review"
  9. 9.Cookie Script, "Understanding the Nigeria Data Protection Act, 2023 (NDPA)"
  10. 10.Secure Privacy, "Nigeria Data Protection Law: Complete NDPA Compliance Guide 2025"
  11. 11.Kabbiz Legal & Advisory, "Data Controllers and Processors Registration with the NDPC"
  12. 12.Lex Luminar, "Data Protection Enforcement in Nigeria: Powers of the NDPC" (June 20, 2025)
  13. 13.Aluko & Oyebode, "Introducing the Nigeria Data Protection Act 2023"
  14. 14.The Federal Trade Commission, "Children's Online Privacy Protection Rule: Not Just for Kids' Sites"
  15. 15.Termly, "COPPA: Children's Online Privacy Protection Act Explained" (November 12, 2025)
  16. 16.Kiteworks, "Children's Online Privacy Protection Act: COPPA Requirements & Compliance"
  17. 17.Wikipedia, "Children's Online Privacy Protection Act"
  18. 18.Clarip Articles, "GDPR-K: Children's Data and Parental Consent under the GDPR"
  19. 19.GDPRWise, "GDPR and Children - Extra Rules for Minors' Personal Data" (April 06, 2026)
  20. 20.USLAW Magazine, "GDPR's children data regime" (Spring 2022)
  21. 21.Law Society, "GDPR Guidance 8 - Processing Children's Data" (November 22, 2025)
  22. 22.Sovy, "Children and the GDPR Detailed Guidance"
  23. 23.Nigeria Data Protection Commission, "About Us"
  24. 24.Nigeria Data Protection Commission, "NDPC Engages Youth on AI Data Governance and Regulation at NYIGF" (December 08, 2025)
  25. 25.The Federal Ministry of Communications, Innovation & Digital Economy and the Nigeria Data Protection Commission (NDPC), "Nigeria strengthens push for Child Online Safety amid growing digital risks" (June 05, 2026)