Children's personal data: What are your responsibilities?

The advent of the new GDPR laws that were brought in a few years ago made a lot of businesses sit up and take notice when it came to thinking about how they collect and handle data. Most have now got to grips with this where adults are concerned, but what are your responsibilities as a business when it comes to the personal data of children?

As those under the age of 16 cannot legally give consent for anything throughout most of the EU, it can be hard to know what you have the right to keep. You also need to be aware of what differences there are between the legal rights of a child and an adult and what levels of transparency need to be in place. Much of this will hinge on whether your services and communications are targeted at children, and if so, whether they are done so in a language that they can understand.

Here, Lovedays Solicitors, specialist family law solicitors in Derby, share their expertise in where you stand when it comes to children’s personal data.

Current GDPR rules

According to the GDPR laws, any information that is provided to a child needs to be clear enough for them to be able to easily understand. If a child asks a business to provide a paid-for service, then parental consent will be required if they are under the age of 16 in the EU.

The law also states that the age at which a child can give their own consent is 16, however, in the UK, this has been lowered to 13 years of age. In Northern Ireland there is no legally defined age at which someone is considered to be a child and so they are able to give consent themselves without requiring you to ask for parental consent.

Otherwise, parental consent will be needed, and the data controller has the duty to ensure that person giving that consent does actually have the parental responsibility to do so.

It also stated that children do require specific protection when it comes to their personal data as they may be less aware of the risk and consequences associated with it. This particularly refers to using this data for the purposes of marketing or the creation of user profiles. Whilst signing up to an email newsletter might be considered low risk, entering a chat room is much higher.

The ICO also cites that the best interests of the individual child should be considered, and that the commercial interests of a business will not outweigh a child’s right to privacy. This is to encourage businesses to think about taking the vulnerability of children into account when they communicate with them.

Holding data

If your business holds any data relating to children, it is important to remember that they have the same rights under the GDPR laws as adults. The only exception to this is that when a child wants to exercise those rights, all responses must be written in a clear and plain language that the child will be able to understand.

No matter how young the child might be, it is still them that owns their own personal data, and not their parents, and so a parent may not have the right to make a subject access request in relation to their child’s personal data.

When holding the personal data of children, you need to look at how that is collected and how consent is obtained. You should consider what steps you take to verify the age of the child, and if they are under 13, look at how you can obtain parental consent. The age of the child will also need to be verified if they ever make a data request in order to ensure that you respond in the correct fashion and language.

Special data

If you are processing special data such as health information, you will need to meet the conditions for processing under Article 9 of the GDPR laws. If you are collecting data to satisfy a legal obligation such as safeguarding or health and safety laws, then you do not need to ask for consent to hold this data.

Digital Consent

According to the law, only children aged 16 or over can give consent online to receive an Information Society Service. This refers to most online services and apps that do not have any age restrictions or where age restrictions allow under 18s. If a child is under this age of consent, then they will need parental consent instead and you should make “reasonable efforts” to verify that the person doing this holds parental responsibility. You should check what country a child is from to see if they comply with the relevant age restrictions.

Marketing

Before you can use a child’s personal data for marketing purposes, you will need to carry out a DPIA. This refers to both direct marketing as well as targeted or online behavioural advertising. You must keep the protection of the child in mind at all times and make sure that you never exploit wither any lack of understanding or vulnerability and children must still have their right to object to direct marketing clearly set out.

When it comes to children and their personal data, it is important to remember that they have just as much of a right to privacy as anyone one else, but unlike anyone else, you need to go to great efforts to ensure that they understand what it is that they are giving consent to.

Even when it comes to seeking parental consent, you need to be able to show that this has been done responsibly and you have made all reasonable efforts to ensure that the consent comes from someone who has the right to give it.

Think carefully about the legitimate reasons for holding this data and make sure it is not only done so correctly but that it has been done by communicating with the subject in a way that allows them to understand what they are agreeing to.