Children enjoy special protection under the General Data Protection Regulation (GDPR) as they are considered vulnerable1. They did not indeed achieve physical and psychological maturity yet2, so they may be less aware than adults of the risks and consequences of sharing their personal information when registering for online services or using connected platforms3.
Special legal regime applicable to children
The European regulation establishes a specific legal regime for children4, but it concerns a limited number of situations. It only applies when two cumulative conditions are met:
- The processing of data is based on consent5;
- and it is related to a service of the information society offered directly to a child.
“Information society service
” is defined as a service provided against payment, at a distance, by electronic means and at an individual request6. The definition excludes services free of charge, although it includes services provided without payment from the end-user but supported by advertising. It also covers the selling of goods offered online where the contract is concluded by electronic means7.
Services must be provided “directly to a child
”8. It means that a service offered through an intermediary, such as a public institution, like a school, is not covered by the provision. The service must be directed specifically at minors. The condition is fulfilled if the service is available to all users without any age restrictions. It is obviously not the case if the service is targeting adults, like sports betting sites. It is a question of facts to determine whether children have access to the service or not.
Determining the age of consent
Children who are at least 16 years old may lawfully consent themselves to the processing of their data. One of the difficulties for businesses to enforce the provision is that the definition of a child is not uniform in all Member States. The GDPR offers flexibility to European countries in determining the digital age of consent. National laws may provide for a lower age than 16 years, but not below 13 years. It is up to business managers to inquire about the state of the national legislation where they market their products or services.
Data controllers should take into account the fact that the information provided for consenting to the gathering of data is addressed to a child. The language used should be “clear and plain
”9 to minors in order to enable them to make an “informed consent
”10.
They also have the responsibility to verify the age of the persons they are dealing with, even though the GDPR does not explicitly require it11. They have to make reasonable efforts to verify that children are legally able to consent to the processing of their data.
The age verification process should not involve the processing of an excessive amount of data. It should consequently respect the data minimization principle12 and be proportionate to the service provided. A company does not need to take the same verification steps when it sends a newsletter by email to children, for example, and when it allows them to participate in an online chat where personal data are shared.
If children are under 16 years old, or under the age determined by the Member State, businesses need to get the consent from their parents or to receive their authorization to collect the consent directly from the children.
The GDPR does not specify how to obtain that authorization or consent and how to verify if the person involved is the holder of parental responsibility. It simply states that the controller “shall make reasonable efforts
” to verify it “taking into consideration available technology
”13. What was said previously about age verification (data minimization and proportionality principles) applies mutatis mutandis to the verification of the parents’ authorization or consent.
Children’s and their parents’ consent is not irreversible. The protection offered by the GDPR to children extends to the possibility of confirming, modifying or withdrawing their consent when they reach the digital maturity. They can withdraw their consent14 and they retain their right to erasure15. Children should be informed of this possibility in a language suitable for their age16 before and when they gain the right to consent by themselves.
* Une version française de ce texte a été publiée sous le titre Le consentement des enfants dans la société de l’information.
1 European Data Protection Board, Guidelines 5/2020 on Consent under Regulation 2016/679, para. 124.
2 Article 29 Working Party, Opinion 2/2009 on the Protection of Children’s Personal Data (General Guidelines and the Special Case of Schools) (2009), p. 3.
3 Recital 38 GDPR.
4 Art. 8 GDPR.
5 Cf. art. 4 (11) et 6 (1) (a) GDPR.
6 Art. 4 (25) GDPR; and Directive (EU) 2015/1535 of 9 September 2015 Laying Down a Procedure for the Provision of Information in the Field of Technical Regulations and of Rules on Information Society Services, OJEU L 241, 17 septembre 2015, p. 1, art. 1 (1) b).
7 Directive (EU) 2015/1535, ibid., recital 18; and CJEU, Ker-Optika bt/ÀNTSZ Dél-dunántúli Regionális Intézete, C-108/09, 2 December 2010, Rec., p. I-12213, para. 24.
8 Recital 38 GDPR.
9 Recital 58 GDPR.
10 Art. 4 (11) GDPR.
11 Guidelines 5/2020 on Consent under Regulation 2016/679, op. cit., para. 133.
12 Art. 5 (1) (c) GDPR.
13 Art. 8 (2) GDPR.
14 Art. 7 (3) GDPR.
15 Art. 15 and recital 65 GDPR.
16 Art. 12 (1) GDPR.