Every person, no matter their age, has the right to have their personal information protected and used only in a fair and lawful manner.
As children may be less aware of their rights, as well as the risks, associated with the processing of their personal data, the General Data Protection Regulation (GDPR) considers children to be vulnerable data subjects – and thus gives them specific protection in this regard.
In late 2020, the Data Protection Commissioner (DPC) published a comprehensive draft guidance document entitled ‘Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing‘. Following detailed public consultation, the guidance sets out 14 principles for organisations to follow when processing children’s data.
- Floor of protection
- Clear-cut consent
- Zero interference
- Know your audience
- Information in every instance
- Child-oriented transparency
- Let children have their say
- Consent doesn’t change childhood
- Your platform, your responsibility
- Don’t shut out child users or downgrade their experience
- Minimum user ages aren’t an excuse
- Prohibition on profiling
- Do a data protection impact assessment (DPIA)
- Bake it in
This article will briefly discuss the key principles and examine how organisations can ensure their compliance.
Children’s data protection rights
For the purposes of Irish data protection law, a child is considered to be anyone under the age of 18. Organisations should treat children as data subjects in their own right; and allow them to exercise their rights in relation to their personal data at any time – provided they have the capacity to do so, and it is in their best interests.
Where an organisation refuses / partly refuses to facilitate a child in exercising their data subject rights on the basis that it would not be in the best interests of the child, the organisation should clearly set out the reasons for taking such action and inform the child that a request may be made on their behalf.
Under Irish law, there is a rebuttable presumption that a parent/guardian is acting in the best interests of the child unless there is evidence to the contrary. That being said, organisations should undertake an independent assessment of whether it is in the best interests of the child to facilitate such a request. They should consider factors such as the nature of the service being provided, the personal data being processed and the maturity of the child.
Who does the DPC guidance apply to?
The guidance applies to any organisation whose services are directed at, intended for or likely to be accessed by children. That means organisations must take steps to identify their users and gain knowledge about them. If in doubt, the guidance makes clear that ‘likely to be accessed by a child’ should be understood to mean more likely than not.
Where a service is accessed by children, an organisation has two choices:
- A ‘floor of protection’ can be applied whereby all users, irrespective of age, benefit from a high and standardised level of data protection sufficient to protect the rights of child users.
Alternatively, organisations can take a ‘risk-based’ approach to verifying the age of users, so they can ensure the guidance is adhered to in appropriate circumstances.
- If an organisation decides to implement age verification mechanisms, there are certain minimum criteria which should be considered when determining the approach. (Please see the draft guidance for a non-exhaustive selection of criteria.)
It’s important to clearly communicate privacy information about how personal data is used, using concise, clear and plain language that is suited to the age of the child.
Additionally, the DPC considers that organisations should actively promote privacy-protective measures amongst children. This can be done in a number of ways including:
- Use of just-in-time notifications to inform children and young people about any possible risks or consequences involved in sharing their personal data at a particular moment in time.
- Providing direct communications links with the organisation through the use of instant chat functions, query email addresses and privacy dashboards. This allows children to ask questions regarding the processing of their data.
Age of digital consent and age verification mechanisms
In Ireland, the age of digital consent – or the minimum age a child may give consent in relation to online services – is 16. If the child is underage, consent must be given or authorised by the person with parental responsibility for the child.
The GDPR requires that online service providers must make ‘reasonable efforts’ to verify that consent is given by the holder of parental responsibility ‘taking into consideration available technology’.
Importantly, organisations offering online services in multiple countries should also be aware that each EU member state may decide its own age of digital consent. Ages vary from 13 to 16.
Organisations which stipulate minimum age requirements to access their services should take appropriate steps to ensure that age verification mechanisms are effective to prevent children below that age from accessing their service. These mechanisms will depend on a number of factors, such as the services being offered, and the sensitivity of the data being processed.
Direct marketing, profiling and advertising
Online service providers should not profile children or carry out automated decision making in relation to children, or otherwise use their personal data, for marketing and/or advertising purposes unless they can clearly demonstrate how and why it is in the best interests of the child to do so. Such an exemption may apply in the context of preventative and/or counselling services being offered directly to a child.
Organisations deriving revenue from online technologies pose particular risks to the rights and freedoms of children. Therefore, they must be especially cautious of their obligations in relation to measures around age verification and verification of parental consent.
Tools to ensure a high level of data protection for children
The DPC states that online service providers should undertake data protection impact assessments (DPIAs) to minimise the data protection risks of their services and, in particular, the specific risks to children which arise from the processing of their personal data. The principle of ‘best interests of the child’ is a key criterion in any DPIA; and must prevail over the commercial interests of any organisation in the event of a conflict between the two.
The final version of the guidance will inform the DPC’s approach to supervision, regulation and enforcement in the area of processing of children’s personal data. Thus, all organisations should carefully review the draft guidance to understand how this impacts them and incorporate the recommendations into their data protection practices and procedures.
Checklist for your organisation:
- Have I read the DPC’s draft guidance and considered how the 16 key principles apply to my organisation?
- Are we conveying privacy information in plain and accessible language?
In the case of online services:
- Are users 16 years or older, or has consent been obtained by an adult?
- Is my organisation profiling or conducting automated decision making on underage data subjects?
- Has my organisation conducted a DPIA?