When you sign up for an online service, you’re often asked to provide personal details. Usually, you won’t have a problem with this: an organisation obviously needs your name and email address to contact you. But when they start asking for seemingly unnecessary information, you might get concerned. Why do you need to give your date of birth when downloading a green paper? Or to create an account for a web forum?
Organisations that request data excessively or without a clear purpose are in breach of the EU GDPR (General Data Protection Regulation), and could face severe disciplinary measures. If you spot an organisation doing this, you have every right to report them to their supervisory authority.
But before you rush off looking for data protection authorities’ email addresses, you should first look to see if the organisation has a lawful reason to ask for your data. This should be straightforward, as they are required to make this information easily accessible. You’ll typically find it via a link on the bottom of a web page or included in a physical contract.
Protecting your date of birth
Dates of birth are the most common type of personal data that people complain about having to provide. That’s because they don’t often have a clear legitimate use, but could be very helpful for crooks who got hold of them. Birthdates are often used to authenticate someone, and many people who practice poor information security use dates of birth for PIN codes or in their passwords.
However, there are many legitimate reasons for organisations to ask for your date of birth. They can be broadly split into two categories: legal requirements and marketing activities.
The GDPR states that organisations can’t seek consent to collect personal data from minors (with each EU member state having the option to create its own definition of ‘minor’, provided it’s between 13 and 16). If an organisation thinks there’s a realistic chance of a child subscribing to its service, it should ask users to confirm their age.
This obviously isn’t a foolproof system: minors can simply lie about their age. However, organisations would need to collect more personal data to check this, which would ultimately be counterproductive.
There are also other laws that require organisations to check people’s age. Financial organisations such as PayPal are required to collect comprehensive details about its users, and communications companies such as Google and Skype need to collect birthdates to comply with the COPPA (Children’s Online Privacy Protection Rule) and other child protection laws.
Organisations can also request people’s date of birth if it’s necessary for marketing activities. This is typically the case when the organisation offers age-dependent services. So, for instance, a rail company might ask for your date of birth to check that you can receive a young person’s discount. Likewise, an organisation that offers discounts to senior citizens also has a legitimate reason to ask for your age.
The complexity of the GDPR has led to a lot of organisations second-guessing themselves about what is and isn’t legal. They would therefore benefit greatly from having someone on board with GDPR training, who could help them stay on the right side of the law.
Anyone who wants to learn more about the Regulation should consider our Certified EU GDPR Foundation Training Course.
This one-day course is delivered by an experienced data protection practitioner, and is suitable for directors or managers who want to understand how the GDPR affects their organisation, employees who are responsible for GDPR compliance, and those with a basic knowledge of data protection who want to develop their career.