GDPR-K: Children’s Data and Parental Consent under the GDPR
The European Union’s General Data Protection Regulation (GDPR) recognizes that children’s personal data should be afforded special protections because they may be less aware of the risks and consequences of data sharing. Recital 38 notes that the use of a child’s data for marketing, creation of user profiles, or the collection of data when using services merits specific protection. The process of obtaining consent for children (and the validity of their consent) are governed by Article 8 of the GDPR. The sections of the GDPR that relate to kids’ data are often shortened to the acronym GDPR-K.
How does GDPR-K compare to the Children’s Online Privacy Protection Act (COPPA)?
COPPA is the United States law applying to websites and online services directed at children under the age of 13 years old, or the websites and online services of operators who have actual knowledge that they are collecting personal information online from kids under 13 years of age. The law is enforced by the Federal Trade Commission (FTC).
The requirements for GDPR-K are similar to COPPA. Parental consent is required; there must be transparency regarding the collection of the data and its usage; and in general the GDPR provides for data subject access requests as well as the right to erasure.
Who is considered a child under the GDPR-K?
This is one area where COPPA and the GDPR-K differ. COPPA considers a child anyone under 13 years of age. The GDPR sets the age of consent at 16 years of age but allows individual member states to lower the age of consent to a minimum of 13 years old.
What is the age of consent?
The age of consent varies by country. Germany, Hungary, Lithuania, Luxembourg, Slovakia and The Netherlands are expected to maintain the GDPR age of consent at 16 years of age. Austria has officially adopted its GDPR implementation and the age of consent is 14 years old. The United Kingdom, Spain, Czech Republic, Denmark, Ireland, Latvia, Poland, and Sweden are expected to have an age of consent at the minimum: 13 years old. Finland and France are still uncertain: Finland will likely end up between 13 and 15 and France will be either 15 or 16.
How is parental consent handled?
Consent from a child is only valid if the holder of parental responsibility (parent or guardian) also gives consent. Article 8(2) requires reasonable efforts to verify that the parent has given consent for processing of the child’s data. COPPA handles verifiable parental consent through several methods including a consent form to be printed and returned via mail, fax or scanned; to use a credit card, debit card or other online payment system providing notification to the primary account holder; have the parent or call or video conference with trained personnel on the staff; or verify identity by checking government issued identification.
Where does Article 8 not apply?
The one area where Recital 38 indicates that parental consent is not necessary is in the context of preventative or counselling services offered directly to a child. Article 8 also does not change the age of a member state for the valid formation of contracts.
What is the text of GDPR Article 8 on children’s consent?
Article 8: Conditions applicable to child’s consent in relation to information society services
(1) Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
(2) The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
(3) Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Consent Management Software Platform
Preference Management Software Solution
Opt In & Opt Out Consent Software for CCPA
Right to Opt Out in CCPA
Mobile App Consent Manager
Service Providers and the Right to Opt Out under the California Consumer Privacy Act
Opt In Consent for Children in CCPA
How to Obtain Consent Under GDPR
Best Practices for GDPR Consent
GDPR’s Special Categories of Personal Data
Verbal Consent Under GDPR
GDPR-K: Children’s Data and Parental Consent