The GDPR and child consent

The EU General Data Protection Regulation (GDPR) contains specific rules designed to boost the protection of children’s personal data. It restricts the age at which data subjects can lawfully give consent, introduces rules for the language used in consent requests targeted at children and regulates the way online services obtain children’s consent.

The definition of consent, and other rules surrounding it remain the same.


Age of consent

Under the GDPR, the default age at which a person is no longer considered a child is 16, but it allows member states to adjust that limit to anywhere between 13 and 16. Data controllers therefore must know the age of consent in particular member states, and cannot seek consent from anyone under that age. Instead, they must obtain consent from a person holding “parental responsibility”. They must also make “reasonable efforts” to verify that the person providing that consent is indeed a parental figure.


Privacy notices for children

Where services are offered directly to a child, data controllers must make sure that privacy notices are written in a clear, plain way that a child will understand. Although the Regulation calls for similar rules about clear language in general, it’s important that data controllers know the age of the intended audience and provide an appropriately phrased notice.


Online services offered to children

Most consent requests for children are likely to be for information society services (i.e. online services). This is defined as “any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service”.

Examples of information society services are online shops, live or on-demand streaming services, and companies providing access to communication networks.

The reason for these rules, the GDPR states, is because children “may be less aware of the risks, consequences and safeguards” of handing over their personal details. The Regulation emphasises that this is particularly the case with services offered directly to a child, and when children’s personal data is used for marketing purposes and creating online profiles.

Data controllers don’t need to seek the consent of parental figures when the processing is related to preventive or counselling services offered directly to the child.

More information on the GDPR

To find out more about the GDPR and your obligations, you can read our free green paper. It provides an overview of the key regulatory changes introduced by the GDPR, and details the most important areas that you and your organisation need to be aware of when preparing for the change.

Download EU General Data Protection Regulation – A Compliance Guide >>

 Blog disponibile in italiano


Subscribe to our weekly newsletter

One Response

  1. Steve Ives 10th August 2018

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.