This is the ninth blog topic about the impact of the General Data Protection Regulation (GDPR) on Consumer IAM projects. This blog is the last of a series that touches on important topics for IAM experts who have an interest in the new EU regulations. The topic is 'Children's privacy under GDPR'.
The GDPR contains new rules and regulations intended to improve the protection of the personal data of children. These are incorporated in article 8 "Conditions applicable to child's consent in relation to information society services".
Why is it so important to protect the rights of children with respect to personal data?
Although digitisation has impacted all layers of society, this holds even stronger for children. Recent research shows that one out of three users of the internet is under the age of 18. And besides playing games and creating cool new stuff, children also disclose loads of personal data. Combine that with their emotional volatility and relatively impulsive actions and one can figure their increased vulnerability to (commercial) misuse.
Despite the increased attention devoted to protecting children's rights through European policies in recent years, the GDPR is the first European legislative measure to actually protect children's personal data. In my opinion, the GDPR is right when identifying children as "vulnerable individuals", entitled to "special protection".
How does this new protection of children's personal data work?
The rule of thumb for GDPR is that when online services (in GDPR referred to as information society services) are offered to children under the age of 16 and consent is required as the basis for the lawful processing of the child's data, consent must be given or authorised by a person with parental responsibility for the child. Just like the other GDPR requirements on consent, this parental consent will need to be freely given, specific and well-informed. In practice, this shall result in an active opt-in decision by the parent on behalf of his or her child.
This means that parents shall thus become more involved in the digital lives of their children. Just as we know in the brick & mortar world where in some countries children are 'added' to the parents' passport identity, under GDPR children shall become part of their parents' digital identity.
A practical example of parental consent
Children can be real fans of their favorite toy and everything branded in that style is appealing. So, if 10-year-old Elsa is fond of 'My little Pony', she is likely to want to become a member of the online 'My little pony friends club', with online games, photos and stickers, news and interaction with other friends. She signs up with a nickname and password and is asked for her birthdate to verify her age. No other data can be gathered because there is no parental consent. In the next step, Elsa is invited to share one of her parents' email addresses. The parent gets an email, informing him or her of Elsa's wish to become a member of the 'My little Pony friends club' and the personal data required for her profile. If the parent gives consent, Elsa can update her profile by sharing her personal data and use all the features of the club.
How should organisations verify the ages of its consumers and/or users?
Unfortunately, GDPR does not state any clear requirements to authenticate the age of a child. Furthermore, organisations must make 'reasonable efforts' to verify that the person providing the consent is indeed the parental figure entitled to perform this action. This is despite the initial request of the European Commission proposing for delegated acts on this issue. Personally, I think this is a missed opportunity as it leaves plenty of room for interpretation.
GDPR gives countries the right to adopt additional regulation concerning the age of consent. For example, some countries may opt to lower the age limit to 13. So, in spite of a General European Privacy Regulation there may still be (slight) differences between individual countries.
What does my organisation have to do to comply with this parental consent requirement?
In order to prepare for the children's data protection requirements set out by the GDPR, it is recommended to take the following steps:
- Analyse whether these new rules on children are likely to affect your organisation;
- If your organisation offers services (or information) directly to children ensure you know if there are additional national rules that apply to you;
- For services offered directly to children, make sure these are accompanied with clear information that can easily be understood by children;
- Ensure you have some sort of system in place to (try and) check the age of the child;
- Ensure that you have measures or systems in place to check that someone is indeed the parent of the child that wishes to use your services;
- Make sure you properly store the parental consent and make sure it is made available to parents just as easy as the consent was given. You can think of a personal account page to be used by your customers to see, edit and manage their personal data or the personal data of their children supplemented by their parental consent.
What happens if organisations don't comply?
By not complying with GDPR requirements on parental consent, organisation risk fines up to 10,000,000 euros or up to 2% of the organisation's total global annual turnover (whichever is higher).
The GDPR in all official European languages can be found here:
In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on IAM.
- Why IAM will never be the same.
- When should consent be requested?
- Why transparency is key to building trust.
- Strict regulation of automated individual decision making.
- What is sensitive personal data?
- Privacy by Design & Data protection by Design.
- Special rights for the individual like “right to be forgotten”
- Data breach communication.
- Children's privacy under GDPR.
Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via email@example.com
Corné van Rooij
VP Product & Strategic Alliances at iWelcome
Corné has been working in the security market for more than 20 years of which the last 15 years at two well known Identity Management Vendors.