What You Need to Know About The GDPR and Children’s Data

If your organisation is dealing with children and/or families, then the GDPR means there are some special considerations for dealing with children’s personal data. Here’s what you need to know about The GDPR And Children’s Data:

What does the GDPR say about children’s data?

Under the GDPR, the default age at which a person is no longer considered a child is 16, but it allows member states to adjust that limit to anywhere between 13 and 16. Data controllers therefore must know the age of consent in particular member states, and cannot seek consent from anyone under that age. Instead, they must obtain consent from a person holding “parental responsibility”. They must also make “reasonable efforts” to verify that the person providing that consent is indeed a parental figure.

The GDPR states that where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
Under GDPR the controller shall make reasonable efforts to verify parental consent for children's data Click To Tweet

Tips for handling children’s data under the GDPR

Because kids are less aware of the risks involved in handing over their personal data, they need particular protection when you are collecting and processing their data.

• If you process children’s personal data then you must build in protections from the outset and design your processes to protect their data.
• As with all personal data, you should comply with data protection principles but when it comes to children, you need fairness at the middle of your processing of children’s personal data.
• You must have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.
• If you are relying on consent as your lawful basis for processing, when offering an online service directly to a child, in the UK only children aged 13 or over are able provide their own consent. For children under this age you need to get consent from whoever holds parental responsibility for the child – unless the online service you offer is a preventative or counselling service.
• Children merit specific protection when you use their personal data for marketing purposes or creating personality or user profiles.
• Data controllers don’t need to seek the consent of parental figures when the processing is related to preventive or counselling services offered directly to the child.
• The “clear and plain language” requirement will affect any business that offers services for children, eg. mobile phone apps, or social media services for children. The terms and conditions for such apps/services will need to be written differently to those targeted at adults.
• Note that for children aged 12 to 15, will no longer be able to give their own consent when downloading apps, etc. In those cases, parental consent will be required, and the business will have to bear the burden of checking that whoever gave consent did have parental responsibility.
• You should not make decisions based solely on automated processing about children if this will have a legal or similarly significant effect on them.
• You should write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.

Even if your business doesn’t provide online services but simply holds children’s data, under the GDPR those children have just the same rights under the GDPR as adults, except that when a child exercises those rights, any response must be written in a way that the child will understand.

If you are using “legitimate interests” to justify processing kids data then that needs to be backed up with documented consideration of whether a child’s interests override those of your organisation.

Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased. An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child. More information can be found on the ICO website.

Steps to Take if Handling Children’s Data

1. Consider whether any of your services are targeted at children, or used by children.

If so, it will be important to ensure that your terms and conditions are updated in order to satisfy the “clear and plain language” requirement.

2. Review how you obtain consent

Secondly, if your business does process any personal data relating to children, review how you obtain consent at the point of collecting that data. Do you take steps to verify the child’s age? Are those steps reasonable? And if the child is under 16 years, how will you ensure that you obtain the consent of someone with parental responsibility for that child? Ensure that processes to gather parental consent are put in place including verifying with the parent, not just as an automated assumed permission.

3. Verify age of data subjects

And then take steps to ensure that, such a data subject ever look to exercise its rights under the GDPR, you verify the age of the data subject before responding …and if the data subject is a child, ensure you respond in suitable language. Or potentially, if the child is particularly young, consider responding instead to somebody with parental responsibility for the child.

4. If offering online services direct to children

If your organisation offers information society services, in other words, online services, directly to children, make sure you are fully aware of the national rules that apply.

This is defined as “any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service”.
Examples of information society services are online shops, live or on-demand streaming services, and companies providing access to communication networks.

The reason for these rules, the GDPR states, is because children “may be less aware of the risks, consequences and safeguards” of handing over their personal details. The Regulation emphasises that this is particularly the case with services offered directly to a child, and when children’s personal data is used for marketing purposes and creating online profiles.

#5. If processing data offline

If your organisations processes any children’s data offline, then make sure you are compliant.

#6. Privacy notices for children

If your services are offered directly to a child, make sure notices are written in a clear, plan way with a child’s understanding in mind.

Although the GDPR calls for similar rules about clear language in general, it’s important that data controllers know the age of the intended audience and provide an appropriately phrased notice.

Sharing Children’s Data

Children’s services are routinely asked to share personal data with other organisations, maybe as part of a multi-agency approach. Children’s services teams need to be ready to explain to children and those with parental responsibility about who may access their data and why.

Under the GDPR, the organisation collecting the data is responsible for explaining this clearly and in detail. Gaining informed consent early on will save time and effort.

Best practice has always been for workers who collect and may share personal information about children and young people to explain clearly to them and their parents or carers how that data is likely to be used.

A good rule of thumb is to remember that the Data Protection Act 1998 and the GDPR are about protecting the privacy of individuals rather than organisations.

Always ensure that the data that is shared is fully encrypted and secure.

Marketing to Children

If your business markets to children it is so important to recognise the sensitive nature of your potential audience, i.e. the fact that children are less able to comprehend the purpose of marketing.

It’s best to consult with your regulatory body such as the Advertising Standards Authority, to make sure that children will not inadvertently be exploited by the marketing you’re planning.

In the case of direct marketing, children have the same rights as everyone else, you must stop if they ask you to.

Profiling or making decisions about children using solely automated means should be avoided or if you intend to do this, you should seek specialist advice to make sure you are fully compliant with regard to the GDPR and children’s data.

How has your organisation implemented changes for collection and storage and sharing of kids’ data? Any tips on managing the GDPR and children’s data? Did you find this article useful? Tell us your thoughts in the comments below. 

Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).