The online and social media age has brought new, much publicised pressures to bear on children. A considerable threat to their privacy is the quantity of personal data which organisations may amass about them before they are old enough to understand the consequences of handing it over. While data protection law has always applied to children's personal data, the GDPR introduces special protections for children for the first time in the EEA.
Recital 38 of the GDPR states that:
"Children require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child".
Recitals are non-binding but may be taken into account when considering compliance and they should inform the application of the binding provisions.
The ICO also points to the United Nations Convention on the Rights of the Child which requires the best interests of the individual child be considered. In its draft Code of Practice on data sharing, the ICO says "it is unlikely that the commercial interests of an organisation will outweigh a child's right to privacy. Considering the best interests of the child should form part of your compliance with the lawfulness, fairness and transparency principle".
What this means is that you should always think about whether you are processing children's personal data, and take children's vulnerability into account in the way you communicate with them and in terms of what you do with their data and how you give effect to their rights. There are a number of areas where you need to pay special attention if you are or may be processing children's personal data.
Under the GDPR, data controllers must rely on a lawful basis from the list in Article 6 in relation to each processing operation. Any of the Article 6 bases can be used to process children's data but additional considerations may apply.
Consent – As well as all the usual factors involved in getting GDPR consent, data controllers need to consider the competence of a child and whether they have the capacity to understand the ramifications of consent. If they do, then they can provide consent unless it is evident they are acting against their best interests. If the child is not competent then their consent cannot be informed and will be invalid. Another factor in gaining informed consent is presenting information in such a way that a child will understand it. This is made more complex due to different levels of understanding among different age groups.
Consent also has to be freely given and any imbalance in the relationship between the data controller and the child is likely to compromise that. The Swedish regulator recently fined a school around EUR 20,000 for failure to have a lawful basis for processing personal data after the school installed a facial recognition system with the consent of the children. The regulator said that any consent was invalid due to the imbalance in the relationship between the data controller and the data subjects.
There is no set age at which a child is considered competent to provide consent (apart from in relation to digital consent as explained below). Data controllers need to take into account the age of the child and the complexity of what they are being asked to understand.
A further complication is caused by the child's right to withdraw consent at any time once they are competent to do so. This means that if you accept consent from someone with parental responsibility on behalf of a child, you need to ensure that the child knows they can withdraw that consent once competent. The ICO suggests including information about this in all communications with the child about their privacy settings and how to update them.
Performance of a contract – Again, competence is the main issue with relying on the lawful basis that processing personal data is necessary for the performance of a contract entered into by the child. While in Scotland, children under 16 largely have no capacity to enter into contracts, the general rule in the rest of the UK is that children over the age of seven can enter into contracts but they can also effectively cancel the contract at any time. If that happens, then there will no longer be a lawful basis for the related processing.
Legitimate interests – Where processing is carried out on the basis that it is in the legitimate interests of the data controller, this must always be balanced against the rights and freedoms of the data subject. The GDPR explicitly underlines the importance of this balancing test where the data subject is a child. In its Children and the GDPR guidance, the ICO stresses that it is the responsibility of the controller to assess the risks to the child and to protect them, including by prioritising their interests. This applies even where the processing of children's data may be incidental.
Other lawful bases – if you are relying on the other lawful bases (legal obligation/vital interests/public task), the main issue to keep in mind is that what is proportionate or required may vary where the data subject is a child, and depending on their age.
Special data – If you are processing special data (like health data), in addition to a lawful basis, you also need to meet one of the conditions for processing under Article 9 (which should be read in conjunction with ss10-11 of Schedule 1 of the Data Protection Act 2018). If you are required to carry out a necessity test then again, it is a question of giving special consideration to the child and what is in their best interests.
Age of digital consent
The GDPR states that only children aged 16 or above can give consent online to receive an Information Society Service (unless the consent is for an online preventative or counselling service). This covers most online services and generally includes websites, apps, search engines, online marketplaces, and online content services. The services do not have to be offered directly to children but will be considered by the ICO to be made available to children if they are offered to users without age restrictions or where any age restriction allows users under the age of 18. Services provided via an intermediary, like a school, are not included.
Children under the age of digital consent must have the holder of parental responsibility give consent on their behalf. Member States have discretion in one of the rare instances of permitted divergence under the GDPR, to lower that age as far as 13 as the UK has done. This means that in practice, when a child is giving consent, it should confirm which country it is in so differing age limits across the EEA can be respected.
It is fairly easy to understand what the age of digital consent is in individual countries (see our table for a summary); it is much harder to verify the source of consent, both the age of the child consenting and whether the holder of parental responsibility has given consent where required. The ICO's GDPR guidance says that it is a matter of fact as to whether or not consent has been lawfully obtained from a child, but in the event of a complaint, it will consider whether the data controller has made reasonable efforts to verify that the child is old enough to provide their own consent, taking into account the risks inherent in the processing, and the available technology.
The GDPR explicitly requires data controllers to make "reasonable efforts" to verify that any person giving consent on behalf of a child does, in fact, hold parental responsibility. Again what is reasonable will take account of the risks inherent in the processing and the available technology. The ICO says that collecting a child's email address in order to send them a fan newsletter is likely to be low risk and asking for tick box confirmation of age may well be sufficient. Higher risk services – for example, chat rooms which allow users to upload personal data - will require additional efforts. The ICO says in these situations, it may be advisable to use a third party verification service.
The ICO recognises in its GDPR guidance that age verification is dependent on available technologies and can also result in the need to collect further data. There are techniques which can be used for verification from facial recognition to the scanning of document verification, but these all involve processing more personal data. The ICO warns that this should not be undertaken lightly and that principles of data minimisation and deletion should be observed.
The ICO considers that a DPIA must be carried out before processing a child's personal data for marketing purposes. This covers both direct marketing and targeted or online behavioural advertising. The ICO says that "in all circumstances, the child should be specifically protected" and it is crucial not to exploit any lack of understanding or vulnerability. For example, children must have their right to object to direct marketing clearly set out.
The Privacy and Electronic Communications Regulations (PECR), which implement the ePrivacy Directive, are also relevant here as consent will be needed under PECR for the majority of electronic direct marketing. There is an exception where you have already provided goods or services to the child, in which case you will be able to send them electronic marketing about similar goods or services. Where consent is needed under PECR, it will also need to be the lawful basis for the related processing.
You may also need to consider advertising standards rules. See our article for more.
Solely automated decisions and profiling
Article 22 GDPR prohibits solely automated decision making (including profiling) where the decisions have a legal or similarly significant effect on the individual (subject to limited exemptions). While Article 22 and the exceptions apply equally to child and adult data, Recital 71 states explicitly that solely automated decision making (including profiling) with legal or similarly significant effects "should not concern a child". The Recital isn't binding and it appears to be something of a drafting oversight that this is not mirrored in the body of the GDPR, but it does indicate that this type of processing of children's data should "not be the norm" in the words of the ICO.
This view is supported by EU-level guidance on automated decision making and profiling which says "where possible, controllers should not rely upon the exceptions in Article 22(2) to justify [such processing]". EU guidance also recommends that you should avoid profiling children for marketing purposes.
The Article 22 prohibition only applies where the processing has legal or similarly significant effect. It's reasonably straightforward to assess what might have legal effect but not so easy to assess what has a similarly significant impact. The ICO's guidance gives the example of solely automated processing of a child's data to influence the child to make poor food choices which could damage their health. In general, if advertising standards prohibit or limit the marketing of certain types of products to children, that is a good indication that influencing a child's choices in this area could have a similarly significant effect on them.
If you do decided to engage in this type of processing then, in the first place, a DPIA will be necessary to establish that the child's rights are sufficiently protected and procedures must be put in place to properly protect the interests of the child. The information requirements must be complied with and presented in a way the child will understand. The child must be given the right to obtain human intervention and the right to give their own view and contest a decision. All information must be presented in a child friendly way.
The ICO's recently updated draft Code of Practice on data sharing illustrates the additional care which must be taken when dealing with children's personal data. The emphasis is on privacy by design and default and again, a DPIA is advised even where not mandatory where sharing children's data is planned. The best interests of the child are paramount and their data should only be shared where there is a compelling reason to do so which is in the child's best interests, for example, for safeguarding purposes. Where data is going to be shared with a third party, due diligence checks should be carried out. If you can reasonably foresee that the third party will use the data in a way which is detrimental to the child, you should not share it.
There are exemptions which may allow you to process children's data in ways which the GDPR would not otherwise allow. These exemptions are covered in Article 23 and Chapter IX of the GDPR and in Schedules 2-4 of the Data Protection Act 2018 (in the UK). They are highly specific and may vary across the EEA.
There are fewer explicit references to children's personal data as a special case in the GDPR than you might expect, but given the protection in Recital 38, the overall message is that you need to be extra careful when processing children's personal data and that will almost certainly involve carrying out a DPIA before the processing operation begins. You may also need to consider the Age Appropriate Design Code if you are an online service provider and other Codes of Practice which discuss the use of children's data.
In essence, you need to be more transparent, more considered and more accountable with children's personal data and you need to ensure that all your communications with children are easy for them to understand. (see our article for practical steps). Protections need to be implemented at the design stage and not only privacy by design and default, but all the data principles need to be considered in the context of children's data. Think of it as GDPR++.