If you’ve ever used an online service that requires age confirmation, you’re probably aware of how inadequate the restrictions usually are. All you’re asked to do is check a box or provide your date of birth. There’s no evidence required, and no one will follow up to make sure you were telling the truth.
Until recently, there were no signs that anybody was particularly bothered by these lax practices. However, the introduction of the EU GDPR (General Data Protection Regulation) has changed that. The Regulation sets clear rules on age restrictions, and the punishment for violating the rules is severe, with the most serious breaches attracting fines of up to €20 million or 4% of annual global turnover, whichever is greater.
What are the GDPR’s rules?
Individuals are only able to give consent if they are over a certain age. The GDPR allowed member states to set their own limits, provided it was between 13 and 16. For example, the UK and Spain set the age at 13, Germany and the Republic of Ireland stuck with 16 and Austria opted for 14.
If an organisation wants to collect the data of a person younger than this, consent needs to be given by someone with “parental responsibility”. The organisation must also make “reasonable efforts” to verify that the person providing that consent is indeed a parental figure.
It’s worth remembering that, as with adults, child consent is only one option for organisations looking to obtain personal data. There are six lawful grounds in total, and consent is generally regarded as the least stable. It should therefore only be sought when none of the other grounds apply.
- Navigating GDPR consent for minors
- The GDPR: How should children’s charities handle consent requirements?
- The GDPR: How child consent rules will affect online gaming
Bypassing the consent requirements
Many people will naturally question how much difference the GDPR’s rules will make. It’s hard to police age restrictions online, which is why there isn’t already a more elegant solution than simply asking people their age. The GDPR doesn’t provide an answer, so organisations are essentially in the same place as they were before. In fact, they’re in a worse place, because if they suffer a data breach involving minors’ information and it is found that they used consent to obtain that information, they will face regulatory action.
But it’s not the GDPR’s job to provide answers. Its job is to protect people’s personal information, and its age of consent rules highlight how difficult that is.
As with many of the Regulation’s rules, the key to staying secure is to ask yourself why you need to collect personal data. If you can use another lawful ground, you don’t have to worry about consent requirements. You should also consider whether you need to collect personal data at all, as you might find the risks associated with data gathering outweigh the benefits.
There are two instances where you don’t have to meet any of the GDPR’s lawful grounds.
Minors have full control over any data that’s collected “in the context of preventative or counselling services offered directly to a child”. This means that, for example, if a child tells a teacher that they are being abused, the school doesn’t need to get consent from the parental figure to report the incident to the authorities.
It’s also not necessary for children to provide consent if they aren’t competent to exercise their data protection rights. A parental figure will instead take this responsibility.
Are you GDPR-compliant?
The GDPR is a complex law, and consent and data subject rights are just one part. Those who want to learn more about how the Regulation affects them should read EU General Data Protection Regulation – A Compliance Guide.
This free green paper provides an overview of the key changes introduced by the GDPR and how you can comply with them.