Is it legal for organisations to request your date of birth?

When you sign up for an online service, you’re often asked to provide personal details. Usually, you won’t have a problem with this: an organisation obviously needs your name and email address to contact you. But when they start asking for seemingly unnecessary information, you might get concerned. Why do you need to give your date of birth when downloading a green paper? Or to create an account for a web forum? 

Organisations that request data excessively or without a clear purpose are in breach of the EU GDPR (General Data Protection Regulation), and could face severe disciplinary measures. If you spot an organisation doing this, you have every right to report them to their supervisory authority. 

But before you rush off looking for data protection authorities’ email addresses, you should first look to see if the organisation has a lawful reason to ask for your data. This should be straightforward, as they are required to make this information easily accessible. You’ll typically find it via a link on the bottom of a web page or included in a physical contract. 


Protecting your date of birth

Dates of birth are the most common type of personal data that people complain about having to provide. That’s because they don’t often have a clear legitimate use, but could be very helpful for crooks who got hold of them. Birthdates are often used to authenticate someone, and many people who practice poor information security use dates of birth for PIN codes or in their passwords. 

However, there are many legitimate reasons for organisations to ask for your date of birth. They can be broadly split into two categories: legal requirements and marketing activities. 

Discover more about the GDPR in our free green paper, EU General Data Protection Regulation – A Compliance Guide

Download your copy>>

This green paper is also available in French and Spanish.


Legal requirements

The GDPR states that organisations can’t seek consent to collect personal data from minors (with each EU member state having the option to create its own definition of ‘minor’, provided it’s between 13 and 16). If an organisation thinks there’s a realistic chance of a child subscribing to its service, it should ask users to confirm their age. 

This obviously isn’t a foolproof system: minors can simply lie about their age. However, organisations would need to collect more personal data to check this, which would ultimately be counterproductive. 

There are also other laws that require organisations to check people’s age. Financial organisations such as PayPal are required to collect comprehensive details about its users, and communications companies such as Google and Skype need to collect birthdates to comply with the COPPA (Children’s Online Privacy Protection Rule) and other child protection laws. 


Marketing activities

Organisations can also request people’s date of birth if it’s necessary for marketing activities. This is typically the case when the organisation offers age-dependent services. So, for instance, a rail company might ask for your date of birth to check that you can receive a young person’s discount. Likewise, an organisation that offers discounts to senior citizens also has a legitimate reason to ask for your age. 


GDPR training

The complexity of the GDPR has led to a lot of organisations second-guessing themselves about what is and isn’t legal. They would therefore benefit greatly from having someone on board with GDPR training, who could help them stay on the right side of the law. 

Anyone who wants to learn more about the Regulation should consider our Certified EU GDPR Foundation Training Course.  

This one-day course is delivered by an experienced data protection practitioner, and is suitable for directors or managers who want to understand how the GDPR affects their organisation, employees who are responsible for GDPR compliance, and those with a basic knowledge of data protection who want to develop their career. 


  1. Dr Tony West 27th March 2019
    • Jessica Belton 29th March 2019
    • Spotsite 15th July 2022
    • Joan 15th November 2023
  2. Lucille Ni Ragnaill 11th June 2019
  3. Mark Amor 1st October 2019
  4. Catherine Cockburn 3rd February 2020
    • Jessica Belton 6th February 2020
  5. Jackson 29th April 2020
  6. cookie clicker 15th June 2020
  7. John Cracknell 6th August 2020
  8. Andrew 30th August 2020
  9. Michelle kerr 7th December 2020
  10. Gail Woods-Short 11th April 2021
    • David 14th April 2021
  11. Cynthia Ramsey 23rd April 2021
  12. karl 18th June 2021
  13. sam 29th June 2021
  14. JR 1st September 2021
  15. Alan Martin 31st October 2021
  16. baby 7th November 2021
  17. Inioluwa Prince 4th May 2022
  18. Joan 15th November 2023
  19. Pat 25th January 2024

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.