“The GDPR identifies children as ‘vulnerable individuals’ deserving of ‘specific attention’…”
The GDPR will bring in special protection for children’s personal data, particularly where it is used for information services such as online shopping, live or on-demand streaming services and for social networking. The GDPR identifies children as ‘vulnerable individuals’ deserving of ‘specific attention’, explaining that this is because children ‘may be less aware of the risks, consequences and safeguards’ of handing over their personal data. The regulation says that this is particularly the case when services are offered directly to a child and when their personal data is used for marketing and creating online profiles. If your company processes children’s personal data, here are the changes that will affect you:
“…the person with parental responsibility must give their consent for a child under 16 to share their personal data.”
Under the current Data Protection Act, a child of any age can give their personal data away online without parental consent. This will change under the GDPR, which defines the age of consent as 16. The GDPR states that the person with parental responsibility must give their consent for a child under 16 to share their personal data. Data controllers are required to make ‘reasonable efforts’ to verify parental consent.
NOTE: Recital 38 states that parental consent is not required for counselling services offered directly to a child.
Member states may choose to change the age of consent from 16. The UK government is planning to lower the age of consent to 13. This won’t have too much impact on children’s social networking because children under 13 are already excluded from social networking sites such as Facebook and Snapchat. However, under the new regulation organisations are likely to have to verify the ages of their subscribers, which they don’t have to do presently. For services aimed at under-13s, organisations will have to prove that they have received parental authorisations.
“Privacy notices for children must be…concise, transparent and in plain language.”
Privacy notices for children must be as transparent as those written for adults – the GDPR’s Article 12 says the information provided to data subjects must be concise, transparent and in plain language. Just like adults, children must know the identity of the data controller and how their personal data will be processed. They must also be made aware that they can withdraw their consent to data processing at any time (see the previous blog post ‘What will consent mean under the GDPR?’ for more information). When writing privacy notices aimed at children, data controllers must take account of the specific age group of their audience so that they write in clear language that the child can easily understand.
“…the rights and freedoms of a data subject are more likely to override the legitimate interests of the data controller or third party when the data subject is a child.”
GDPR Article 6 (1) (f) says that the rights and freedoms of a data subject are more likely to override the legitimate interests of the data controller or third party when the data subject is a child. Data controllers must make sure they have documentation to show that they have carefully considered this. When we look at the GDPR definitions of ‘legitimate interests’, we can see that processing children’s data is unlikely to be necessary for most of these purposes.
Legitimate interests include:
“It’s important to be on the alert for new codes of conduct as they might impose additional requirements on data controllers.”
GDPR Article 40 requires member states to create their own codes of conduct. This includes safeguarding children’s data, specifically the way in which consent is gained and documented. It’s important to be on the alert for new codes of conduct as they might impose additional requirements on data controllers.
Start by ensuring that: