Processing Children’s Data

January 2018

In advance of the Data Protection Act 2018 the Data Protection Commissioner (“DPC”) has issued guidelines on the topic of children’s data.  Organisations that process data from underage subjects must ensure that they have adequate systems in place to verify an individual’s age and gather consent from a parent or guardian (for the pursposes of this article “parent”), where required.

If parental consent is sought, organisations must also make reasonable efforts and use available technology to verify that the person giving consent is, in fact, the parent of the child in question. The EU ‘Article 29 Working Party’ also published guidelines which propose that “reasonable efforts” could include verification of parental responsibility via email in low risk cases and, in high risk cases, it may be appropriate to ask for more proof, so that the controller is able to verify that parental authorisation was given. The WP29 have given an example of a parent being asked to make a payment of €0.01 to the data controller via a bank transaction, including a brief confirmation in the description line of the transaction that the bank account holder is a holder of parental responsibility over the user.

The GDPR introduces special protections for children’s data, particularly in the context of social media and commercial internet services. Consent also needs to be verifiable and, therefore, communications to underage customers must be in a language they can understand. We set out below a quick guide for easy reference:

• The language used in notices must be child friendly.
• Only 13 year olds and over can consent.
• You must verify that the person giving consent is 13 or over.
• If they are under 13 then you need to get parental consent.
• You must make reasonable efforts, using available technology, to verify that the consenting adult is a parent.

For more information, please get in touch with your usual Whitney Moore contact or any member of our Privacy and Data Protection team.