The EU General Data Protection Regulation (GDPR) contains specific rules designed to boost the protection of children’s personal data. It restricts the age at which data subjects can lawfully give consent, introduces rules for the language used in consent requests targeted at children and regulates the way online services obtain children’s consent.
The definition of consent, and other rules surrounding it remain the same.
Age of consent
Under the GDPR, the default age at which a person is no longer considered a child is 16, but it allows member states to adjust that limit to anywhere between 13 and 16. Data controllers therefore must know the age of consent in particular member states, and cannot seek consent from anyone under that age. Instead, they must obtain consent from a person holding “parental responsibility”. They must also make “reasonable efforts” to verify that the person providing that consent is indeed a parental figure.
Privacy notices for children
Where services are offered directly to a child, data controllers must make sure that privacy notices are written in a clear, plain way that a child will understand. Although the Regulation calls for similar rules about clear language in general, it’s important that data controllers know the age of the intended audience and provide an appropriately phrased notice.
Online services offered to children
Most consent requests for children are likely to be for information society services (i.e. online services). This is defined as “any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service”.
Examples of information society services are online shops, live or on-demand streaming services, and companies providing access to communication networks.
The reason for these rules, the GDPR states, is because children “may be less aware of the risks, consequences and safeguards” of handing over their personal details. The Regulation emphasises that this is particularly the case with services offered directly to a child, and when children’s personal data is used for marketing purposes and creating online profiles.
Data controllers don’t need to seek the consent of parental figures when the processing is related to preventive or counselling services offered directly to the child.
More information on the GDPR
To find out more about the GDPR and your obligations, you can read our free green paper. It provides an overview of the key regulatory changes introduced by the GDPR, and details the most important areas that you and your organisation need to be aware of when preparing for the change.