In my business, I need to process personal data referring to minors of age. Is there anything I should know?
Some provisions of the GDPR set specific rules for the processing of personal data referring to minors of age, notably GDPR-Article 8, paragraph 1:
“Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.”
Let’s have a closer look at this clause:
- First of all, unlike the rest of the GDPR, this provision only applies to services provided online (“information society services”)
- Most importantly, it only applies if the offer of information society services is expressly, solely or mainly intended for children. This is the case, where children are being expressly addressed e.g. in an informal, childish language, where the goods, services or content offered is specifically meant for children (e.g. child literature, games, school-related resources etc.) or, obviously, where the offer is expressly limited to children (“just for kids”). It instead is not sufficient, that you offer or sell goods, services or content that may be suitable for children or includes child-friendly items. Therefore, if you sell toys online, this does not necessarily imply that your online shop is “directly offered to children”.
- It only applies in case the legal basis for processing personal data is consent. So, if you’re selling ring-tones to teens for their smartphones, personal data collected when completing the purchase (name, last name, e-mail address, payment details) will typically be “necessary for the performance of a contract to which the data subject is party” and thus covered by the contractual legal basis (Art. 6 par. 1 lit. b). If, however, you would also like to use the data subject’s e-mail address to send out newsletters about your ringtones, then you will need to collect the data subject’s consent since the processing of personal data for marketing purposes is not covered by the contractual scope. This is where art. 8 becomes relevant: if the data subject is less than 16 years of age, you’ll need to get the consent also by his/her parents.
- “Minors” for the purposes of art. 8 GDPR are children below 16 years of age. The GDPR, however, allows member states to lower this minimum age to 13. For instance, Austria has lowered the threshold age to 14 years.
If you think that such conditions are all met in your case, you should definitely implement an additional step into your online-offer, allowing you to check the age of your users. To these ends, a pop-up window with a question (“How old are you?” or “Which year were you born in?”) will be enough.
How do I collect consent from the parents or have them authorize their child’s consent?
Art. 8 gives you two options: you either collect such consent directly from the data subject’s parents, or you have the parents “authorize” the data subject’s consent. No processing of personal data may be performed, before one of these two options has been played out.
The question is: how do I know who the parents are and that they are actually giving their consent? There is no clear answer to this question. Commentators have pointed out various methods to check the identity and collect consent, including:
- the provision of passport or ID copy via e-mail;
- the provision of a consent or authorization letter signed by the parents via e-mail;
- the processing of online orders through the parents’ credit card;
- the parents’ consent or authorization is expressed via telephone.
All of these methods imply a heavy burden for all involved parties. Therefore, some commentators have pointed out that the well known double-opt-in method could also serve for this purpose.
A 14-year-old data subject wants to subscribe to a newsletter. After having declared that he’s 14 years old, he needs to provide a) his own e-mail address, to which newsletters will eventually be sent and b) his parent’s e-mail address. After having subscribed, both the data subject and the parents receive an automated e-mail, asking to confirm the subscription and confirm that the parents agree to such processing of their son’s personal data.
Of course, one could claim that a smart teen would need less than a minute to open up fake e-mail accounts for his parents. But in a way, the same reasoning applies to any other authentication procedure: in the end, it’s the parents’ responsibility to prevent such abuses by their children.
As a golden rule, you should always pick the authentication method according to the risk potentially resulting from the processing of personal data. In the newsletter example, where the risk is considerably low, the double-opt-in procedure could be deemed as sufficient.
If instead, you’re collecting the data subject’s consent to make some of his personal data publicly available on the internet, this might entail considerably high risks: in this case, you should rather go for a more complex but safer authentication method, such as requesting the submission of passports or IDs.