Personal data and children.

Have you got a great idea for selling toys (for kids, of course) on the Internet? Are you so ambitious that you want to enter the European market? Maybe you wrote a great game that both kids and adults love, and you want to improve it by processing user personal data? Then don’t forget about GDPR compliance!

Why should I think about GDPR compliance?

If your company is incorporated in Europe, GDPR is a document that should not be ignored and operated without in the European Union. Moreover, you are bound to think about GDPR even if your client base or online resource users are residing in its territory. And in this case, the children of EU countries deserve closer attention.

What are the provisions of the GDPR governing the processing of children’s personal data?

Recital 38 states that ‘Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child’.

In addition, Recital 75 of the GDPR, which provides additional explanations of the risks to the rights and freedoms of persons, specifically refers to children as vulnerable individuals.

Children’s personal data are also governed by Article 8 of the GDPR.  In particular, Article 8, paragraph 1, states that ‘in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child’.

The most important points about processing of children’s personal data

  1. Unlike other GDPR provisions, information society services are services provided online.
  2. Minors for the purposes of Art. 8 of the GDPR are children under 16 years old. However, the GDPR allows Member states to lower this minimum age to 13 years. For example, the lowest age for the personal consent of children was set in Scandinavia, the United Kingdom and Poland, and the highest was determined in Germany, Croatia and Italy.
  3. Article 8, paragraph 1 applies only if the information society services are offered directly, exclusively or mainly to children. There are three examples:

1) The proposal is made in a simplified, unofficial language for easier perception and learning by children;

2) The products offered are specifically designed for children, such as children’s literature or school supplies;

3) The proposal explicitly indicates a restriction on children (for example, the text of the proposal indicates “only for children”).

  1. According to the GDPR, consent is one of the legal bases for processing children’s data. Therefore, if you sell phone ringtones to teens, the personal data collected during the purchase (name, email address, details of users) is ‘necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’ (Article 6, Part 1b).

If you use any other legitimate method as a basis for processing children’s data, you should consider such factors as the child’s ability to understand and agree to the processing, as well as the interests and fundamental rights of the child. In addition, if you are targeting children over the age of 13, you must write clear and relevant age-related privacy messages so they can understand what they are agreeing to.

How should I adjust my site to the GDPR requirements and provide online services in an appropriate manner?

  1. Analyze whether the GDPR provisions on children can affect your organization. Make sure you know if there are any additional national rules that apply to you.
  2. Make sure you have a system that can check the child’s age.
  3. For services offered directly to children, make sure they are accompanied by clear information that is easy for children to understand. Consideration should be given to ensuring that T&Cs and privacy policies are written in a language that the child can understand and help make conscious choice. This will allow the child to make the best decision and to decide if he or she wants to share his or her personal information in exchange for access and interaction with your products and services. A great example of an organization making efforts in this area is the BBC with their Get Out and Grow privacy policy.
  4. Make sure you have means to verify that someone is the parent of a child intending to use your services (the possible ways to identify parents are described below).
  5. Describe parental rights regarding their child’s information and the procedures that should be followed to exercise those rights.
  6. Give parents access to their child’s personal information to reconsider and / or delete such information.
  7. Make sure that you retain personal information collected online from the child only as long as it is necessary for the purpose for which it was collected. When you no longer need it, be sure to remove the information by applying security measures to protect it from unauthorized access or use.

How to be certain that there are parents who give their consent to the processing of children’s personal data?

There is no clear answer to this question. There are different ways of identifying and agreeing, including:

  • To send a copy of the passport or ID card by email;
  • To send a letter in which parents allow the processing of their child’s personal data with their signature also by e-mail;
  • To process online orders through a parent’s credit card;
  • To phone directly to parents.

All of these methods are reliable, but in practice they are difficult to implement and even more difficult for parents and children to follow. Therefore, in some cases, the well-known double opt-in method can be used.

What happens if you do not meet the GDPR requirements?

The failure to comply with the GDPR requirements for the processing of the child’s personal data puts you at risk of fines of up to € 10,000,000 or up to 2% of the company’s total annual turnover (typically the larger option). Therefore, we advise you to take care of the personal data of the children as well as your wallet.

    Your question to IT lawyers