Conditions applicable to child’s consent in relation to information society services
The GDPR introduces additional obligations to ensure an enhanced level of data protection of children in relation to information society services.
GDPR Article 8 applies to the processing of a child's personal data on the basis of consent, carried out in the context of information society services offered directly to the child.
The most common practical situations in which information society services may be offered and provided directly to a child are likely to be the provision of online services, such as access to games or playing/learning applications, the provision of mobile applications with games or similar content aimed at children.
If the child is under the age of 16, such processing will only be lawful if and to the extent that consent is given or authorised by the holder of parental responsibility for the child.
The GDPR introduces special rules relating to the processing of children's personal data. Already in the preamble we can find, among others, the following references to this issue:
GDPR Recital 38. Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.
GDPR Recital 58. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
The GDPR refers to the processing of children's personal data in several places. GDPR Article 8 is one such provision. It introduces additional obligations for the protection of children's personal data in the context of information society services.
What kind of processing is covered by Article 8?
GDPR Article 8 applies to the processing of children’s personal data that is:
Carried out on the basis of Article 6(1)(a), i.e. where the processing of a child's personal data is based on consent; and
Carried out in the context of so-called information society services offered directly to the child.
Consequently, this provision does not apply to situations where the processing may be based on another condition under GDPR Article 6, for example GDPR Article 6(1)(b) (necessary for the performance and/or conclusion of a contract). However, if a controller decides to process a child's personal data in the context of an information society service provided to the child based on the premise of necessity for the performance of a contract, the controller must take into account the circumstance that a child has limited legal capacity, i.e. children ca only conclude contracts independently and on their own behalf in exceptional circumstances. Therefore, if according to the law applicable to the information society service in question, a child cannot conclude a valid contract with the data controller, the necessity for the performance of the contract will not be a prerequisite for the processing of the child’s personal data (unless the contract is confirmed/concluded on behalf of the child by the holder of parental responsibility for the child).
Neither does this provision apply to an information society service that is not offered directly to a child. According to Guideline 05/2020
(...), if an information society service provider makes it clear to potential users that it is only offering its service to persons aged 18 or over, and this is not undermined by other evidence (such as the content of the site or marketing plans) then the service will not be considered to be ‘offered directly to a child’ and Article 8 will not apply.
What are information society services?
Pursuant to GDPR Article 4(25), “information society service” means a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council.
According to this provision,
‘service’ means any information society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
For the purposes of this definition:
(i) ‘at a distance’ means that the service is provided without the parties being simultaneously present;
(ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;
(iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.
An indicative list of services not covered by this definition is set out in Annex I;
In practice, determining whether a service is an information society service can be difficult. Annex I of the Directive, which gives examples of services that are not information society services, brings some assistance:
Services not provided ‘at a distance’
Services provided in the physical presence of the provider and the recipient, even if they involve the use of electronic devices:
medical examinations or treatment at a doctor's surgery using electronic equipment where the patient is physically present;
consultation of an electronic catalogue in a shop with the customer on site;
plane ticket reservation at a travel agency in the physical presence of the customer by means of a network of computers;
electronic games made available in a video arcade where the customer is physically present.
Services not provided ‘by electronic means’
- Services of a tangible nature, even if provided using electronic devices:
distribution of banknotes and tickets via automatic machines (banknotes, rail tickets);
access to toll roads, car parks, etc., even if the entry or exit control functions are performed by electronic devices;
- 'Off-line' services: distribution of CD-ROMs or software on floppy disks;
- Services that are not provided using an electronic data processing and storage system:
voice telephony services;
fax/telex services;
services provided by voice telephony or fax;
phone/fax medical advice;
phone/fax legal advice;
phone/fax direct marketing.
3. Services that are not provided “at the individual request of the service recipient”
Services provided in the form of data transmission without individual order and intended for simultaneous reception by an unlimited number of recipients ("point-to-multipoint" transmission):
television broadcasting services (including sequenced broadcasting services) as defined in Article 1(1)(e) of Directive 2010/13/EU [Audiovisual Media Services Directive – editor’s note];
radio signal transmission services;
teletext (television).
It seems that the most common practical situations in which information society services may be offered and provided directly to a child are in the provision of services over the internet, such as access to games or applications for play or learning, the provision of mobile applications with games or similar content aimed at children.
What if the conditions of GDPR Article 8 are met?
If the data controller establishes that the conditions of GDPR Article 8 are met in relation to the processing of personal data carried out or intended to be carried out by the data controller, i.e. there will be processing of the child's personal data based on consent in the context of information society services offered directly to the child, it will be lawful without the need for additional requirements to process the personal data of a child who has reached the age of 16.
If, on the other hand, the child is under the age of 16, the processing of personal data in the above context will only be lawful in cases where consent to the processing of the child's personal data has been given or authorised by the person with parental responsibility or custody of the child, and only to the extent of the consent given or authorised by that person. Under the GDPR, in such circumstances, the controller must make reasonable efforts, taking into account available technology, to verify that the person with parental responsibility or custody of the child has given or approved consent.
Should the child's age be verified?
Does the above mean that the data controller is obliged to verify the child’s age? According to Guidance 05/2020,
When providing information society services to children on the basis of consent, controllers should make reasonable efforts to verify that the user is above the age of electronic consent, and these measures should be proportionate to the nature and risks of the processing activities. If the users state that they are over the age of digital consent, then the controller may carry out appropriate checks to verify that this statement is true. Although the need to undertake reasonable efforts to verify age is not explicit in the GDPR it is implicitly required, for if a child gives consent while not old enough to provide valid consent on their own behalf, then this will render the processing of data unlawful. If the user states that he or she is below the age of digital consent, then the controller can accept this statement without further checks, but will need to go on to obtain parental authorisation and verify that the person providing that consent is a holder of parental responsibility. Age verification should not lead to excessive data processing. The mechanism chosen to verify the age of a data subject should involve an assessment of the risk of the proposed processing.
The GDPR does not specify how a child's age should be verified, so it is up to the data controller to decide. As an example of an age verification method, the Guidelines indicate that (in some low-risk situations) it may be appropriate to require new subscribers to disclose their year of birth or to complete a form stating that they are (are not) a minor. However, the Guidelines point out that this solution may have certain disadvantages.
The verification method should be clearly tailored to the level of risk in the circumstances and should not lead to the collection of redundant data. It is also advisable that the controller justifies and documents the rationale for the adequacy of the verification method used, in order to comply with the principle of accountability.
How is it verified that the person giving consent has parental responsibility or custody of the child?
If the child is under the age of 16 years, the processing of his/her personal data shall only be lawful under GDPR Article 8 if and to the extent that consent is given or authorised by the holder of parental responsibility for the child. The controller must make reasonable efforts, taking into account available technology, to verify that the person who has given consent is the holder of parental responsibility for the child. Again, the GDPR does not specify how this verification should take place. It is therefore up to the data controller to choose the method of verification. So how should one go about verifying that consent has been given by a holder of parental responsibility for the child?
The European Data Protection Supervisor:
Recommends a proportionate approach, which could include requesting a limited amount of information, such as contact details of the parent or guardian; verification that in itself requires excessive collection of personal data should be avoided;
Notes that measures may depend on the risks involved in the processing and on the technology available;
Notes that in low-risk situations it may be sufficient to verify parental authority by e-mail;
Notes that in high-risk situations it may be appropriate to ask for more evidence (e.g. a parent or guardian may be asked to make a payment of EUR 0.01 to the controller by bank transfer and to confirm in the description of the transaction that the bank account holder has parental authority or custody of the child);
Indicates that the data controller must inform the child of the possibility of withdrawing consent after the age at which consent can be given electronically.
The Irish regulator refers to the following methods which have been approved by the Federal Trade Commission in the USA as methods of fulfilling similar obligations:
Signing the consent form and sending it to the organisation by fax, mail or electronic scan;
Using a credit card, debit card or other online payment method that provides the account holder with notification of each individual transaction;
Calling a toll-free number staffed by trained staff;
Connecting with trained staff via video conferencing;
Answering a series of questions that would be difficult for someone other than the parent to answer.
The verification method should clearly be tailored to the level of risk in the circumstances and should not result in the collection of redundant data. It is also advisable, for accountability purposes, that the controller justifies and documents the rationale for the adequacy of the verification methods used.
Can Member States provide for a lower age limit in their legislation?
Yes, but the age limit cannot be lower than 13 years. Poland has not provided for a lower age limit, so the age limit in Poland is 16.
Where to start?
Counter-intuitively, ensuring compliance with the requirements of GDPR Article 8 can present many difficulties. Given that the GDPR identifies children as data subjects requiring special protection, data controllers planning to process this type of data should ensure that they have implemented measures to adequately protect them.
The starting point can (and, in some cases, should) be to conduct a data protection impact assessment in accordance with GDPR Article 35. Such an assessment will adequately identify and address the risks associated with the proposed functioning of the solution/service in question, in particular in order to adequately implement the processing principles under the GDPR, including lawfulness of processing, transparency and privacy by default and by design.
Commentary on art. 8
Conditions applicable to child’s consent in relation to information society services
The GDPR introduces special rules relating to the processing of children's personal data. Already in the preamble we can find, among others, the following references to this issue:
The GDPR refers to the processing of children's personal data in several places. GDPR Article 8 is one such provision. It introduces additional obligations for the protection of children's personal data in the context of information society services.
What kind of processing is covered by Article 8?
GDPR Article 8 applies to the processing of children’s personal data that is:
Consequently, this provision does not apply to situations where the processing may be based on another condition under GDPR Article 6, for example GDPR Article 6(1)(b) (necessary for the performance and/or conclusion of a contract). However, if a controller decides to process a child's personal data in the context of an information society service provided to the child based on the premise of necessity for the performance of a contract, the controller must take into account the circumstance that a child has limited legal capacity, i.e. children ca only conclude contracts independently and on their own behalf in exceptional circumstances. Therefore, if according to the law applicable to the information society service in question, a child cannot conclude a valid contract with the data controller, the necessity for the performance of the contract will not be a prerequisite for the processing of the child’s personal data (unless the contract is confirmed/concluded on behalf of the child by the holder of parental responsibility for the child).
Neither does this provision apply to an information society service that is not offered directly to a child. According to Guideline 05/2020
What are information society services?
Pursuant to GDPR Article 4(25), “information society service” means a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council.
According to this provision,
In practice, determining whether a service is an information society service can be difficult. Annex I of the Directive, which gives examples of services that are not information society services, brings some assistance:
It seems that the most common practical situations in which information society services may be offered and provided directly to a child are in the provision of services over the internet, such as access to games or applications for play or learning, the provision of mobile applications with games or similar content aimed at children.
What if the conditions of GDPR Article 8 are met?
If the data controller establishes that the conditions of GDPR Article 8 are met in relation to the processing of personal data carried out or intended to be carried out by the data controller, i.e. there will be processing of the child's personal data based on consent in the context of information society services offered directly to the child, it will be lawful without the need for additional requirements to process the personal data of a child who has reached the age of 16.
If, on the other hand, the child is under the age of 16, the processing of personal data in the above context will only be lawful in cases where consent to the processing of the child's personal data has been given or authorised by the person with parental responsibility or custody of the child, and only to the extent of the consent given or authorised by that person. Under the GDPR, in such circumstances, the controller must make reasonable efforts, taking into account available technology, to verify that the person with parental responsibility or custody of the child has given or approved consent.
Should the child's age be verified?
Does the above mean that the data controller is obliged to verify the child’s age? According to Guidance 05/2020,
The GDPR does not specify how a child's age should be verified, so it is up to the data controller to decide. As an example of an age verification method, the Guidelines indicate that (in some low-risk situations) it may be appropriate to require new subscribers to disclose their year of birth or to complete a form stating that they are (are not) a minor. However, the Guidelines point out that this solution may have certain disadvantages.
The verification method should be clearly tailored to the level of risk in the circumstances and should not lead to the collection of redundant data. It is also advisable that the controller justifies and documents the rationale for the adequacy of the verification method used, in order to comply with the principle of accountability.
How is it verified that the person giving consent has parental responsibility or custody of the child?
If the child is under the age of 16 years, the processing of his/her personal data shall only be lawful under GDPR Article 8 if and to the extent that consent is given or authorised by the holder of parental responsibility for the child. The controller must make reasonable efforts, taking into account available technology, to verify that the person who has given consent is the holder of parental responsibility for the child. Again, the GDPR does not specify how this verification should take place. It is therefore up to the data controller to choose the method of verification. So how should one go about verifying that consent has been given by a holder of parental responsibility for the child?
The European Data Protection Supervisor:
The Irish regulator refers to the following methods which have been approved by the Federal Trade Commission in the USA as methods of fulfilling similar obligations:
The verification method should clearly be tailored to the level of risk in the circumstances and should not result in the collection of redundant data. It is also advisable, for accountability purposes, that the controller justifies and documents the rationale for the adequacy of the verification methods used.
Can Member States provide for a lower age limit in their legislation?
Yes, but the age limit cannot be lower than 13 years. Poland has not provided for a lower age limit, so the age limit in Poland is 16.
Where to start?
Counter-intuitively, ensuring compliance with the requirements of GDPR Article 8 can present many difficulties. Given that the GDPR identifies children as data subjects requiring special protection, data controllers planning to process this type of data should ensure that they have implemented measures to adequately protect them.
The starting point can (and, in some cases, should) be to conduct a data protection impact assessment in accordance with GDPR Article 35. Such an assessment will adequately identify and address the risks associated with the proposed functioning of the solution/service in question, in particular in order to adequately implement the processing principles under the GDPR, including lawfulness of processing, transparency and privacy by default and by design.