Ireland’s Data Protection Commission (“DPC”) recently concluded a consultation into the privacy rights of children. It is likely that businesses and organisations involved in handling children's data will need to revise their approaches, particularly in terms of how transparency information is provided to children and profiling children for marketing purposes.

The EU’s General Data Protection Regulation (“GDPR”) acknowledges the special position of children, who are recognised as “vulnerable individuals” deserving of “specific protection”. Under the law, Ireland’s DPC is under a particular obligation to promote awareness and understanding of the rights, risks, rules and safeguards in relation to the processing of personal data, and as such, recently carried out a consultation on the processing of children’s personal data and the rights of children as data subjects.

The DPC’s consultation

The consultation consisted of two streams, one aimed at adult stakeholders (including parents, educators, children’s rights organisations, child protection organisations, representative bodies for parents and educators, as well as organisations that collect and process children’s data), and the other at children and young people. The findings from both streams suggest that changes are likely in the regulation of children’s personal data.

A majority of adult respondents said that different sets of transparency information should be provided to adults and children based on their levels of understanding, and that there should be a prohibition on profiling children for marketing purposes. Meanwhile, the responses from the children and young people’s groups showed a sound understanding of privacy and data protection, with respondents seeking greater simplicity, accessibility and transparency in how their personal data is processed. One overarching theme of both streams was a desire to see privacy matters better integrated into digital services, through age verification gates and more user friendly explanations of privacy matters.

The UK Information Commissioner’s Office (“ICO”) has led the way in this area, by publishing its own guidance prior to the implementation of the GDPR. In January 2020, the ICO also published the final version of its “Age Appropriate Design Code”, which sets out 15 standards that online services should meet to protect children's privacy, and gives practical guidance on data protection safeguards that ensure online services are appropriate for use by children. Based on its consultation, it is expected that the DPC will follow suit in 2020 with its own guidance or more formal guidelines on children and GDPR, which will likely incorporate the key issues highlighted in the consultation.

Tips for organisations handling children’s data

  • Given the special status of children under the GDPR, organisations processing or controlling children’s data should carefully consider how they are affected and take steps to ensure ongoing compliance. In particular, organisations should ensure that
  • Privacy notices use clear and plain language and are drafted with a child’s level of understanding in mind.
  • Protections of children’s data are “built-in” from the design stage of a service.
  • They have a lawful basis or justification for processing a child’s personal data:
    • a reliance on digital “consent” must be obtained either from a child over the age of 16 (under Irish law) or with parental consent where a child is less than 16.
    • a reliance on other (non-digital) consent obtained from a child may be required from parents / guardians up to the age of 18.
    • a reliance on “legitimate interests” to process children’s data is supported by a carefully documented balancing of the organisations interests against the child’s, taking into account any future guidelines published by the DPC in this area.
  • In the case of digital services directly offered to children,

(i) an assessment is carried out into which EU Member States their services are accessible in, to ensure that appropriate consent mechanisms are in place, and

(ii) care is taken in ensuring specific protection where the use of personal data is for marketing purposes, or creating personality or user profiles.