This issue is especially important in these modern times. It is estimated that one in three internet users are minors, who can behave more impulsively and, in some cases, do not understand the implications of their actions. Confusingly worded privacy policies do not help much either.
The intention of lawmakers was to rectify these issues in the GDPR, but many still deem the situation as very unsatisfactory.
In this article, we will explore the conditions for children’s consent, as well as things to watch out for and measures to enact.
Children Online: What’s the Issue?
Children are prone to impulsive and volatile behaviour online. They also tend to experiment with lots of online services, which can leave them vulnerable since they give out their personal information freely and without considering the possible outcomes. They cannot evaluate risky situations properly and lack awareness of the long-term consequences.
For that reason, they are the group most at-risk from unwanted privacy intrusions from marketers, data harvesters and similar. Most Europeans feel that children should be afforded additional protection online. Lots of websites do not provide child-friendly notices and explanations on how their data is being used. Some do not even check for age and allow children to access them, even if they should not be able to.
Who Is a Child & The Rule of 16
This is the area where the GDPR has gotten a lot of flak, and rightly so. The very definition of a ‘child’ under the GDPR is jumbled and a bit chaotic.
The old Data Protection Directive that the GDPR replaces did not contain provisions regarding children, opting to delegate this to the national laws of the EU member states.
The GDPR does include provisions for the safety of children, but it does not do much in the way of harmonisation. Most current laws, such as those in the US (The Children’s Online Privacy Protection Act of 1998 – COPPA), set the age limit at 13. This has effectively been ‘transposed’ into Europe as well, since the social media companies are mostly based in the US and they bar children younger than 13 from using their services due to simplicity.
Higher Limits in the EU
The GDPR sets this age limit at 16 years old. However, member states can lower this ceiling as they like, by introducing replacement provisions in their own laws. The threshold cannot be reduced to less than 13 years, however.
This is a radical change of plans, as the lawmakers wanted to set the limit at 18 years, afterwards revised to 13. However, some EU countries like the Netherlands set their limits higher, and the limit was changed so that their limits stay intact.
Additionally, the GDPR does not define what a ‘child’ is and who this term applies to. This is unfortunate since it affects a few other things, such as profiling (profiling of children is prohibited). It is unclear as of yet whether this limit of 16 years of age is an implicit definition, or if other definition should be employed where persons under 18 years of age are considered children.
Some critics pointed out that this higher threshold of 16 years does not change the underlying facts: it is difficult and expensive to verify the validity of consent, and the threshold itself has been questioned. After all, can a 16-year old be considered a child, and lumped into the same category as a 10-year old? These questions are not addressed in the GDPR at all. In fact, there are fears that children could be locked out of the web entirely as a result. Your company might not want to do it, but if faced with the prospect of exorbitant fines, your hand could be forced. There are a few guidelines to help you though. Read on!
Aside from elevated requirements for consent, children are afforded extra rights. Their right to be forgotten is ‘stronger’ than that of the regular person. In most cases, you will have no legitimate grounds to further process the child’s data if you receive such a request. Profiling of children is forbidden under the GDPR.
You are obligated to process children’s data with extreme care, especially when evaluating health, economic situation, or interests. Once you’re done with processing, you are allowed to retain data only as strictly necessary for its original purpose or if required by law. Children are singled out as a group where the interests of the organization must be particularly strong in order to continue processing. In other words, the threshold for processing of children’s personal data is particularly high.
When addressing privacy notices to children, they must be simple to understand and written in plain language. However, they must be complete and truthful. Do not obfuscate your arguments and claims in ‘legalese’. Never hide information from children and make sure they understand what you will use their data for. If you are unsure whether they can, maybe you should reconsider using their data in the first place.
Children themselves cannot consent to the use of their data. Parental consent is required instead, otherwise their data is illegal to process. Data controllers should, as per Article 8, take ‘reasonable measures’ to verify the validity of the consent; i.e. whether it was given by the parent or not.
In practice, it remains elusive as to how consent will be verified. The GDPR calls for reasonable effort taking into account the current level of technology, but so far the regulators and the lawmakers are due to provide a detailed explanation regarding the exact requirements.
Aside from barring anyone under 16 years of age from using your online services – which would be the easiest, but not the most practical solution – you can opt for obtaining the guardian’s or parent’s details. You could ask for their e-mail address so that the verification e-mail can be sent there. Requiring a scanned ID from a parent is also an option. But both of these can be circumvented by children and teenagers, and you still would not know whether the guardian actually consented. Plus, you are exposing yourself in the latter example by storing very personal data. It may not be worth the risk.
You do not need consent in the case of preventive and counselling services offered directly to a child. This includes abuse hotlines, psychological services etc.
Lack of Harmonisation
Make sure to monitor the age of consent for children in each member state. 16 years is the most conservative age which you can use as a blanket requirement, but some states may reduce the age threshold. If you feel this would be beneficial to your business, make sure to check the member state laws from time to time.
Note that these consent requirements apply only to online services. For offline data collection, regular consent requirements apply, in addition to the national legislation on this issue.
The GDPR is a patchwork of contradictory regulations when it comes to the protection of children. On one hand, it extends the definition to 16 years of age, but on the other hand, there are no reliable mechanisms to ensure that consent is indeed valid.
We have yet to see how this will work in practice, pending further guidance from the regulators, the Article 29 Working Party or the European Commission. These obstacles have been foreseen even during the drafting of the GDPR, as the Article 8 underwent several modifications. Some countries wanted it deleted altogether, even.
Be that as it may, even at this moment you can enact protective measures for data relating to children and treat it with a higher level of caution and security, just like special categories of personal data. It just might turn out to be enough for compliance.