Companies that obtain consent from children are subject to stricter requirements than companies that obtain personal data from adults. It is permissible for children to give their consent to the processing of their own personal data. This is applicable in connection with certain services under the General Data Protection Regulation (EU) 2016/679 (GDPR).
A Company may according to the GDPR, obtain consent from children who are at least 16 years old. This applies if a company offers online services to children, and in connection therewith collects personal data based on consent. However, EU countries have the right to lower this age limit if they wish to do so. For example, Sweden and Finland have lowered the age limit to 13 years. Please note that children’s and young people’s personal data shall in particular be protected under the GDPR.
It is important to know that a consent must be voluntary and actively given according to GDPR.
Information society services for children are provided by companies that may obtain their consent
Children have the right to use information society services. They may, in certain cases, give their own consent for the service provider in question to process their personal data. Examples of information society services are social media and online games.
If the child is younger than the specified national age limit, or younger than 16 years in case the country has not lowered the age limit, the guardian must consent to the processing for it to be lawful and the consent to be valid.
Informing the child about the processing of personal data
Companies that obtain consent from children or other individuals must inform the data subjects about the processing. There is certain information to be provided when obtaining consent. This also applies in cases where the data subject is a child. The company must also inform the child about the processing of the personal data in accordance with articles 13 and/or 14 of the GDPR. Also, the information must be provided in a way that the child understands.
The company shall write the information on the processing of personal data in simple and easy-to-understand language. Specially when the data subjects are children. For example, if an online game is made available to children in the Netherlands, the company must provide the information on how the children’s personal data is processed in Dutch. A large well-known company had to pay a fine because they breached this requirement. They informed the data subjects about the processing in English in the Netherlands, instead of Dutch.
It is common to compile information about the processing of personal data in a document called a Privacy Notice. The company may usefully publish this information in the footer of the company’s website. According to the GDPR, the company should provide the information directly in connection with the collection of the personal data. For example, the information should be available when the child creates the user account for the online service.
Stricter requirements for companies that obtain consent from children
There are many companies that provide online services that many children use, such as social media. They need not know that there are stricter requirements for companies processing personal data from children.
Personal data about children is particularly worthy of protection. Therefore, the company must adapt the information so that the children understand what it means to give consent to the company.
Processing of children’s personal data in accordance with the GDPR
Here are some things to keep in mind for companies that process personal data belonging to children:
- Implement measures to prevent cyberbullying, violence and other content unsuitable for children.
- Do not process more personal data than necessary.
- Make sure that it is as easy to withdraw consent as it was to give consent.
- Make sure that the information about the processing is provided in simple and easy-to-understand language. Avoid using complicated words or too long sentences.
- It is not allowed to encourage, or have a design, text or similar that encourages children to, for example, send or publish anything for personal pictures.
There are some cases when a company should not use consent as a legal basis. Instead, there are five other legas bases according to Article 6 of the GDPR.
Review of social media for children
In 2021, the Italian data protection authority (The Garante) began to step up its work on scrutinizing the various social media platforms used by children. The review was primarily about whether the service providers meet the requirements under GDPR regarding the processing of personal data belonging to children.
The review began after a 10-year-old had created multiple user accounts on social media without its parents’ consent. This is not allowed under the GDPR. The child died and the Italian data protection authority ordered the provider of the mobile application to restrict the processing of personal data of certain users whose age the provider was not sure of.