According to the GDPR, children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerns and their rights in relation to the processing of personal data.
Definition Under the GDPR
Any information given to, or provided in communication with, a child must be in “such a clear and plain language that the child can easily understand”.
Where a child asks a business to provide a service for which payment is normally made, parental consent will be required unless the child is aged 16 years or over.
What Does the GDPR Definition Really Mean?
The age at which a child can give their own consent under the GDPR, is 16 years . However, in the UK only, that age limit has been lowered to 13 years by the DPA 2018.
In addition, the data controller is under an additional duty to make reasonable efforts to verify that, where consent is given by a parent or guardian, that that person does actually have parental responsibility for the child.
The European Data Protection Board, an EU body that works to ensure data protection law is applied consistently across the EU, has published guidelines it will adhere to in its work plan over the next two years which will help define how the GDPR is to be enforced in respect of those provisions relating to the data of children.
What Effect has this had on UK Businesses?
The “clear and plain language” requirement affects any business that offers services for children, e.g. mobile phone apps, or social media services for children. The terms and conditions for such apps/services now need to be written differently to those targeted at adults.
Businesses that supply services and products in the UK and the EU will need to be careful in cases where consent is required, to ensure that the correct age limit is applied in the varying jurisdictions. Even for businesses who don’t provide online services to children, but simply hold data relating to children, it is important to note that those children have just the same rights under the GDPR as adults, except that when a child exercises those rights, any response must be written in a way that the child will understand. And that is a very difficult skill.
But note that even young children own their own personal data, and hence are entitled to exercise rights under the GDPR. For example, a parent does not necessarily have the legal right to make a subject access request in relation to their child’s data. A child’s personal data is not owned by the parent.
What Should my Business be Doing?
First, consider whether any of your services are targeted at children, or used by children. If so, it is important to ensure that your terms and conditions are up to date and satisfy the “clear and plain language” requirement.
Secondly, if your business does process any personal data relating to children, review how you obtain consent at the point of collecting that data. Do you take steps to verify the child’s age? Are those steps reasonable? And if the child is under 13 years old (in the UK), how can you ensure that you obtain the consent of someone with parental responsibility for that child?
And then take steps to ensure that, should a data subject ever look to exercise its rights under the GDPR, you verify the age of the data subject before responding …and if the data subject is a child, ensure you respond in suitable language. Or potentially, if the child is particularly young, consider responding instead to somebody with parental responsibility for the child.