According to the GDPR, children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerns and their rights in relation to the processing of personal data.
Definition under the GDPR
Any information given to, or provided in communication with, a child must be in “such a clear and plain language that the child can easily understand”.
Where a child asks a business to provide a service for which payment is normally made, parental consent will be required unless the child is aged 16 years or over.
What does the GDPR definition really mean?
The age at which a child can give their own consent under the GDPR, is 16 years . However, in the UK only, that age limit has been lowered to 13 years by the DPA 2018.
In addition, the data controller is under an additional duty to make reasonable efforts to verify that, where consent is given by a parent or guardian, that that person does actually have parental responsibility for the child.
The European Data Protection Board, an EU body that works to ensure data protection law is applied consistently across the EU, has published guidelines it will adhere to in its work plan over the next two years which will help define how the GDPR is to be enforced in respect of those provisions relating to the data of children.
What effect has this had on UK businesses?
The “clear and plain language” requirement affects any business that offers services for children, e.g. mobile phone apps, or social media services for children. The terms and conditions for such apps/services now need to be written differently to those targeted at adults.
Businesses that supply services and products in the UK and the EU will need to be careful in cases where consent is required, to ensure that the correct age limit is applied in the varying jurisdictions. Even for businesses who don’t provide online services to children, but simply hold data relating to children, it is important to note that those children have just the same rights under the GDPR as adults, except that when a child exercises those rights, any response must be written in a way that the child will understand. And that is a very difficult skill.
But note that even young children own their own personal data, and hence are entitled to exercise rights under the GDPR. For example, a parent does not necessarily have the legal right to make a subject access request in relation to their child’s data. A child’s personal data is not owned by the parent.
What should my business be doing?
First, consider whether any of your services are targeted at children, or used by children. If so, it is important to ensure that your terms and conditions are up to date and satisfy the “clear and plain language” requirement.
Secondly, if your business does process any personal data relating to children, review how you obtain consent at the point of collecting that data. Do you take steps to verify the child’s age? Are those steps reasonable? And if the child is under 13 years old (in the UK), how can you ensure that you obtain the consent of someone with parental responsibility for that child?
And then take steps to ensure that, should a data subject ever look to exercise its rights under the GDPR, you verify the age of the data subject before responding …and if the data subject is a child, ensure you respond in suitable language. Or potentially, if the child is particularly young, consider responding instead to somebody with parental responsibility for the child.
My business is designing and selling mobile phone apps, and I’m pretty sure children are downloading them. So what do I need to do?
Assuming that, as part of the download process or the app itself, you obtain any personal data from the user, then we suggest you employ a three-step process. First, ensure your business’s terms and conditions are written clearly and plainly in a way that a child would understand them. We appreciate that this is easier said than done. Secondly, ensure you verify the age of any person that downloads the app so that, when you come to obtain their consent to you processing their personal data, you know whether they are capable of giving consent (or whether you need to obtain parental consent). And finally, ensure that your app contains some process by which it asks for parental consent if the user is aged 12 years or under (in the UK), and also contains some attempt at ensuring whoever ticks the box does actually have parental consent (and it is isn’t simply the child ticking the box).
My 13-year-old daughter wants to find out what information social services are holding about her. Can I make a request on her behalf?
No, the request must come from your daughter because the request relates to her personal data. However, with your daughter’s consent, you can ask social services to respond directly to you. But social services would have to satisfy themselves that you had authority to act on your daughter’s behalf.
So, if I receive a subject access request that appears to be from a five-year-old boy, I have to treat it seriously?
Yes. But you may wish to take steps to identify a person with parental responsibility for the boy, and determine whether your response should be to that person rather than the boy.
I’m an accountant, and I keep details of my clients’ children to assist with claims for child tax credit and other benefits. Do I need to do anything?
You would treat that information in the same way as you’d treat any other personal data, but those children would also have the same rights under the GDPR as any adult.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- Data subject means the living individual that is identified, or can be identified, from the personal data.
- GDPR means the General Data Protection Regulation, the EU law that effectively replaced the Data Protection Act 1998.
- Personal data means any data from which a living person can be identified.
- Process means to do just about anything with personal data, e.g. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing, destroying or otherwise making the data available to somebody else.
This does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.