The data of the claimant's under-age daughter was collected by a website without proper parental consent and without confirmation of the data subject's age.

The Spanish Data Protection Agency ("SDPA") imposed a fine of €2,000 on Boombang Games, S.L. for breach of Article 6.1 Spanish Data Protection Act ("DPA") relating to the need to obtain consent for processing personal data in relation to Article 13 of the Regulation implementing the DPA (Royal Decree 1720/2007), which sets out the requirements for processing the data of minors.

This decision explores two key issues on the application of Spanish data protection legislation:

I. The e-mail address as personal data

The Agency considered whether an e-mail address is personal data and, therefore, subject to the DPA.

In its report of 4 February 2005 (75007/2004), the SDPA indicated that an e-mail address should be considered personal data because:

  • Article 2.1 DPA states that the DPA "shall apply to personal data recorded on a physical support which makes them capable of processing and to any type of subsequent use of such data by the public and private sectors";
  • Article 3 (a) DPA consider that "any information concerning identified or identifiable natural persons" is personal data;
  • Article 5.1 (f) of the Regulation regards personal data as "any alphanumeric, graphic, photographic, acoustic or any other type of information pertaining to identified or identifiable natural persons"; and
  • Article 5.1 (o) of the Regulation according to which an identifiable person is "any person who may be identified, directly or indirectly, through any information regarding his physical, physiological, psychological, economic, cultural or social identity. A natural person shall not be deemed identifiable if such identification requires disproportionate periods of time or activities."

The SDPA report of 15 November 2005 suggests that an e-mail address is formed by a combination of letters and/or figures that are freely chosen by the address owner, limited only so as not to match another person's address. This combination of letters and figures may or may not have a particular meaning and may even include the name of another person. To this effect there are two possible interpretations:

  1. The e-mail address contains some information about its owner (e.g. name, employer or country of residence), whether this information is provided by the owner voluntarily or otherwise. In these circumstances, the e-mail address is clearly the owner's personal data; or
  2. The e-mail address does not obviously contain data that relate to its owner (e.g. the e-mail address is made up of a random string of letters). In such a case, it is arguable that the e-mail address should not be considered personal data. However, the e-mail address must be connected to a certain internet domain, so that identification of its owner would be possible via the server. The e-mail address could be considered personal data if additional personal information about the owner was provided when registering the email account. Even here, the e-mail address alone may be considered personal data.

II. Consent for the processing of data of minors

According to Article 13 of the Regulation:

  • Data subjects over the age of 14 may consent to their data being processed, unless otherwise required by law;
  • Parental consent is required for the processing of data relating to data subjects under 14 years of age (i.e. minors);
  • Data may not be collected from a minor that relates to their wider family unit (e.g. the professional activity of and financial information relating to their parents) without parental consent. As an exception to this, data relating to the identity of a parent or guardian may be collected solely to verify parental consent to the above;
  • Information notices aimed at minors should be readily-understandable to a minor and should expressly refer to the provisions of Article 13;
  • The data controller is responsible for putting in place mechanisms (i) to guarantee the age of the data subject and (ii) to verify the legitimacy of the parental consent obtained.

In its decision of 17 December 2009, the Audiencia Nacional established that, to satisfy Article 13, consent must be free, specific and informed. While consent should also be unequivocal, this can be shown expressly in writing or implied by a particular action taken by the data subject (Audiencia Nacional's judgment of 14 April 2000).

The SDPA recognises that there is no specific mechanism established under Article 13 by which a data controller can verify that parental consent has been given to the processing of data pertaining to a minor. However, the SDPA considers that a simple 'tick box' acceptance of a statement that the user is older than 14 is not a valid means to check a user's age. Equally, requesting a copy of the ID cards of both the parents and the minor is insufficient to prove that parental consent has been provided. In the SDPA's opinion, parental consent may be validly verified by receipt of a statement of consent to the processing signed by the parent, attached to which is a copy of the parent's ID card.

SDPA imposed an economic fine on Boombang, as it considered that the minor's personal data had been processed without parental consent having been validly obtained, notwithstanding that Boombang's privacy policy specifically contained a statement saying that registration was available to users aged over 14 or to those that have obtained parental consent to registration and use of the website.