- About Us
This is the ninth in a series of nine blog posts on how Consumer Identity and Access Management (CIAM) products can help organisations in their Compliance with the General Data Protection Regulation (GDPR). This blog is part of a series that cover important topics for CIAM experts who have an interest in the new EU regulation. The topic is 'Children's privacy under GDPR'.
The GDPR contains new rules and regulations intended to improve the protection of the personal data of children. These are incorporated in article 8 "Conditions applicable to child's consent in relation to information society services".
Although digitisation has impacted all layers of society, this holds even stronger for children. Recent research shows that one out of three users of the internet is under the age of 18. And besides playing games and creating cool new stuff, children also disclose loads of personal data. Combine that with their emotional volatility and relatively impulsive actions and one can figure their increased vulnerability to (commercial) misuse.
Despite the increased attention devoted to protecting children's rights through European policies in recent years, the GDPR is the first European legislative measure to actually protect children's personal data. In my opinion, the GDPR is right when identifying children as "vulnerable individuals", entitled to "special protection".
The rule of thumb for GDPR is that when online services (in GDPR referred to as information society services) are offered to children under the age of 16 and consent is required as the basis for the lawful processing of the child's data, consent must be given or authorised by a person with parental responsibility for the child. Just like the other GDPR requirements on consent, this parental consent will need to be freely given, specific and well-informed. In practice, this shall result in an active opt-in decision by the parent on behalf of his or her child.
This means that parents shall thus become more involved in the digital lives of their children. Just as we know in the brick & mortar world where in some countries children are 'added' to the parents' passport identity, under GDPR children shall become part of their parents' digital identity.
Children can be real fans of their favourite toy and everything branded in that style is appealing. So, if 10-year-old Elsa is fond of 'My little Pony', she is likely to want to become a member of the online 'My little pony friends club', with online games, photos and stickers, news and interaction with other friends. She signs up with a nickname and password and is asked for her birthdate to verify her age. No other data can be gathered because there is no parental consent. In the next step, Elsa is invited to share one of her parents' email addresses. The parent gets an email, informing him or her of Elsa's wish to become a member of the 'My little Pony friends club' and the personal data required for her profile. If the parent gives consent, Elsa can update her profile by sharing her personal data and use all the features of the club.
Unfortunately, GDPR does not state any clear requirements to authenticate the age of a child. Furthermore, organisations must make 'reasonable efforts' to verify that the person providing the consent is indeed the parental figure entitled to perform this action. This is despite the initial request of the European Commission proposing for delegated acts on this issue. Personally, I think this is a missed opportunity as it leaves plenty of room for interpretation.
GDPR gives countries the right to adopt additional regulation concerning the age of consent. For example, some countries may opt to lower the age limit to 13. So, in spite of a General European Privacy Regulation there may still be (slight) differences between individual countries.
In order to prepare for the children's data protection requirements set out by the GDPR, it is recommended to take the following steps:
By not complying with GDPR requirements on parental consent, organisation risk fines up to 10,000,000 euros or up to 2% of the organisation's total global annual turnover (whichever is higher).
The GDPR in all official European languages can be found here:
In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on CIAM.
Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via email@example.com.