When you sign up for an online service, you’re often asked to provide personal details. Usually, you won’t have a problem with this: an organisation obviously needs your name and email address to contact you. But when they start asking for seemingly unnecessary information, you might get concerned. Why do you need to give your date of birth when downloading a green paper? Or to create an account for a web forum?
Organisations that request data excessively or without a clear purpose are in breach of the EU GDPR (General Data Protection Regulation), and could face severe disciplinary measures. If you spot an organisation doing this, you have every right to report them to their supervisory authority.
But before you rush off looking for data protection authorities’ email addresses, you should first look to see if the organisation has a lawful reason to ask for your data. This should be straightforward, as they are required to make this information easily accessible. You’ll typically find it via a link on the bottom of a web page or included in a physical contract.
Protecting your date of birth
Dates of birth are the most common type of personal data that people complain about having to provide. That’s because they don’t often have a clear legitimate use, but could be very helpful for crooks who got hold of them. Birthdates are often used to authenticate someone, and many people who practice poor information security use dates of birth for PIN codes or in their passwords.
However, there are many legitimate reasons for organisations to ask for your date of birth. They can be broadly split into two categories: legal requirements and marketing activities.
Discover more about the GDPR in our free green paper, EU General Data Protection Regulation – A Compliance Guide
This green paper is also available in French and Spanish.
Legal requirements
The GDPR states that organisations can’t seek consent to collect personal data from minors (with each EU member state having the option to create its own definition of ‘minor’, provided it’s between 13 and 16). If an organisation thinks there’s a realistic chance of a child subscribing to its service, it should ask users to confirm their age.
This obviously isn’t a foolproof system: minors can simply lie about their age. However, organisations would need to collect more personal data to check this, which would ultimately be counterproductive.
There are also other laws that require organisations to check people’s age. Financial organisations such as PayPal are required to collect comprehensive details about its users, and communications companies such as Google and Skype need to collect birthdates to comply with the COPPA (Children’s Online Privacy Protection Rule) and other child protection laws.
Marketing activities
Organisations can also request people’s date of birth if it’s necessary for marketing activities. This is typically the case when the organisation offers age-dependent services. So, for instance, a rail company might ask for your date of birth to check that you can receive a young person’s discount. Likewise, an organisation that offers discounts to senior citizens also has a legitimate reason to ask for your age.
GDPR training
The complexity of the GDPR has led to a lot of organisations second-guessing themselves about what is and isn’t legal. They would therefore benefit greatly from having someone on board with GDPR training, who could help them stay on the right side of the law.
Anyone who wants to learn more about the Regulation should consider our Certified EU GDPR Foundation Training Course.
This one-day course is delivered by an experienced data protection practitioner, and is suitable for directors or managers who want to understand how the GDPR affects their organisation, employees who are responsible for GDPR compliance, and those with a basic knowledge of data protection who want to develop their career.
When most companies call you, say to sell or renew car insurance they almost all say they need my date of birth and first line of address for data protection reasons. How does giving my date of birth and address protect my data? Surely, if anything it compromises data protection?
Hi Tony,
Transparency and purpose limitation are core principles of data processing under the GDPR. Companies can collect your data only for specified, explicit and legitimate purposes, and have to inform you about such purposes from the outset.
A purpose that is vague or general, such as for instance ‘improving users’ experience’, ‘marketing purposes’, ‘data protection purposes’ – without more detail – usually not meet the criteria of being ‘specific’.
As a data subject, you have a right to request the company to provide you further explanation about the purposes of processing as well as other relevant information. To learn more about your rights and how to exercise them, please see here:
https://www.itgovernance.co.uk/blog/what-are-the-data-subject-rights-under-the-gdpr
https://www.itgovernance.co.uk/blog/how-to-write-a-gdpr-compliant-data-subject-access-request-procedure
I totally agree, I have an old debt that I have been trying to pay for the past 2 years but they refuse give any information on the debt or to take payment unless I provide my DOB.
When ASDA start to require my DOB for my weekly shopping or to give me information on a product I bought the week before I would consider giving it to them but they don’t and I see giving my DOB a breach in my Data protection as it could be used to sell, pass between other organisations or used in scams, they are rife at the moment.
But I will call them every time they send me a letter go through the basic information name address “this is on the letter” but never my DOB.
When I rang Eir regarding a question got to do with my bill I was asked my date of birth. I refused to give it stating that it was my own private data. I also added that they had all my account details on my bill. The woman said it was the policy of the company to request it. I asked what they wanted it for and refused to give it. I have no problem with other service providers as the just don’t ask me. ,however, I never got my question addressed as the rude woman hung up on me. I believe this should be brought to their attention as it has nothing got to do with Customer care! My data protection is safe in my own hands.
When in my local surgery recently the receptionist asked for my date of birth so that I could make a follow-up appointment. This required me to say it out loud so she could hear me. It seems to me that having to do this out loud in a public area, regardless of the need for using my date of birth for identification, is itself on shaky GDPR ground. Surely there must be a better way!
Work form questionair has date of birth box do I have to fill my date of birth as this is very personal thing and don’t want to enter it
Hi Catherine
You should query with your employer as to what the purpose is for requesting your date of birth (i.e. why they want it and do they actually need it?). In addition, you could ask them to advise you of the lawful basis under Article 6, GDPR for this processing.
If they have a valid purpose and lawful basis, then they can request this information. If they do not have a valid purpose nor lawful basis, then they should not be requesting this information and you can refuse to provide it.
Yes! Finally something about forum games.
I think that is among the such a lot significant info for me.
And i am happy reading your article. However want to commentary on some normal issues, The website taste is ideal,
the articles is in reality excellent : D.
Excellent job, cheers
I am in dispute with Amazon who refuse to deliver age protected items unless I verbally tell the delivery driver my Date of Birth. Their own regulations only require that the delivery is to the customer’s registered address and that the recipient produce proof of identity (fair enough). However, the drivers will not hand over the goods unless I tell them my date of birth even if I have let them examine my old persons bus pass (with a photo on it).
Are they acting properly in doing this?
Some companies in the EU are notorious about asking age related information or a recent photo on their job applications. British companies are one of the worst. I cannot believe they have not been sued because of this. As far as “recent photo” goes, find a picture of you that you like (any date will do) and take a photo of that picture. Now you have a “recent photo” of that photo, which you can submit. They cannot say it is not you because it is you, and they cannot say it is not recent because you just took it.
Can a catalogue request this information my email only if i state a dont want to provide this by email Our dispatch team require you to provide those details to us via email, if you could please email us your full name, DOB, Delivery Address, Best Contact number, Alternative Contact Telephone number and email address please i stated i would not give this information by email and was told dispatch team only take this by email no calls to me even though currently have all my details on file
I don’t understand why Google needs my birth date. I’m 73 and certainly not in danger of being mistaken for someone under the age of 18. The more personal information out there, the easier to hack. We all know this. And I would bet that Google already has my birth date.
Hello Gail, I’m in my late 60s and have had similar annoying requests from google regarding gmail. I doubt it is actually a legal requirement but I could be wrong. Denial of email access irritated me, so while the irritating DOB requesting message was displayed I closed the browser and immediately re-opened it and clicked on gmail again with the successful result of immediate connection to email. This annoying message has the habit of re-appearing every couple of days or so over the last fortnight. I might find that eventually I’ll have to comply with some date and if so it may be an opportunity to regain lost youth…..
Supposedly, “being marketed to”, by Google is a “legitimate” reason. We all know seniors are at high risk of identity theft. What if we do not want to be “marketed to” and prefer our right to privacy?
Who could be a better target of identity theft by hackers than a large company like Google!?
Your date of birth seperates you from all other people with the same name. Its a common way. My name is very unique and yet theres 3 of us in my city
I can only recommend to everyone to do as I do.
Just say your date of birth is Jan/1/1970. Anybody in IT will assume that is nonsense and to stop bothering you.
It is the default unix epoch start date. So the databasesp will just save 0 as usually all other days are counted relative to it. Either before or after 1.1.1970 0:00.
First of January is also usually preselected so its easy to select.
All those online services that need to check your age don’t need the date. They would just need the year. Nobody needs to identify you by Name and date ever, its also not possible for very common names. They may need your creditcard maybe but only the credit card company needs to have your personal information like Name + Birthday + Billing address.
All the other companies can have money via payment services and they may need an email to contact you or an address to send stuff to, they neither need a Name nor a Birthday.
Hi, can a company request the due date of a baby for marketing purposes?
If it is a a company that sells baby prodcuts?
Thanks
Why is it accepted practice to ask for a full date of birth for age purposes? For most people most of the time, year of birth is enough to show that they meet legal age limits, and also for age-based marketing. When it isn’t, organizations could err on the side of caution. At the same time it is not a reliably unique identifier when combined with a name, which would help to protect privacy, especially when data breaches expose information to criminals who won’t respect the GDPR.
When the stated purpose is age-related, people should have the option to give only the year, and data protection regulations should enforce this upon organizations!
That is impressive article because they have shown us exact point.
Well shared, an enlightening article. Protecting personal data is of paramount importance, even more now when different accounts may be linked. Personal details, as said, can be a way of verification. And thus, dangerous, if thrown in the wrong hands.