Some provisions of the GDPR set specific rules for the processing of personal data referring to minors of age, notably GDPR-Article 8, paragraph 1:
“Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.”
Let’s have a closer look at this clause:
If you think that such conditions are all met in your case, you should definitely implement an additional step into your online-offer, allowing you to check the age of your users. To these ends, a pop-up window with a question (“How old are you?” or “Which year were you born in?”) will be enough.
Art. 8 gives you two options: you either collect such consent directly from the data subject’s parents, or you have the parents “authorize” the data subject’s consent. No processing of personal data may be performed, before one of these two options has been played out.
The question is: how do I know who the parents are and that they are actually giving their consent? There is no clear answer to this question. Commentators have pointed out various methods to check the identity and collect consent, including:
All of these methods imply a heavy burden for all involved parties. Therefore, some commentators have pointed out that the well known double-opt-in method could also serve for this purpose.
A 14-year-old data subject wants to subscribe to a newsletter. After having declared that he’s 14 years old, he needs to provide a) his own e-mail address, to which newsletters will eventually be sent and b) his parent’s e-mail address. After having subscribed, both the data subject and the parents receive an automated e-mail, asking to confirm the subscription and confirm that the parents agree to such processing of their son’s personal data.
Of course, one could claim that a smart teen would need less than a minute to open up fake e-mail accounts for his parents. But in a way, the same reasoning applies to any other authentication procedure: in the end, it’s the parents’ responsibility to prevent such abuses by their children.
As a golden rule, you should always pick the authentication method according to the risk potentially resulting from the processing of personal data. In the newsletter example, where the risk is considerably low, the double-opt-in procedure could be deemed as sufficient.
If instead, you’re collecting the data subject’s consent to make some of his personal data publicly available on the internet, this might entail considerably high risks: in this case, you should rather go for a more complex but safer authentication method, such as requesting the submission of passports or IDs.