The GDPR and the Digital Age of Consent
“The internet is a city and, like any great city, it has monumental libraries and theatres and museums and places in which you can learn and pick up information and there are facilities for you that are astounding – specialised museums, not just general ones. But there are also slums and there are red light districts and there are really sleazy areas where you wouldn’t want your children wandering alone.” (Stephen Fry, 2009).
Following consultation, the Government has decided that the digital age of consent for children to sign up to digital services without parental approval will be thirteen years of age. This decision follows a consultation process run in conjunction with the drafting of the new Data Protection Bill 2017, which seeks to align Irish law with the rules set out in the EU General Data Protection Regulation (the “GDPR“). The decision was positively received by the Children’s Rights Alliance who had recommended setting the limit at “the lowest age possible”. However, the differing rules on the age of consent across EU member states and the US will create challenges for companies that offer online services and/or international services.
The digital age of consent refers to the age at which children may lawfully sign up for services that process personal information online, without the need to obtain explicit parental consent. In what has been long recognised as an unsatisfactory situation, the current Data Protection Acts 1988 – 2003 do not specify a minimum age at which a person can give consent to having their personal data processed. Under the existing data protection regime a data controller must simply make a judgement on whether the person under the age of eighteen can appreciate the implications of giving consent.
Article 8 of the GDPR, which comes into effect across the EU from May 2018, introduces specific protections for children by limiting their ability to consent without specific parental permission. The GDPR introduces a threshold of sixteen years of age, with an option to allow member states to set a lower age of thirteen or above. In addition to the age limits, Article 8 also provides that data controllers must obtain and use “reasonable efforts” to verify the consent of a parent or guardian when processing a child’s personal data.
The practical implications of the new change for some online businesses may be the requirement to validate each users age. This is not an easy task. In a supermarket where a customer is buying alcohol an attempt can be made to appraise the appearance of a customer and seek identification where they look underage. Unfortunately, no such tried and tested process exists for the online world. Website operators will be required to define the criteria in identifying children and how they will interact with them. The approach will depend upon the nature of services or products which they offer.
The GDPR creates an onus on businesses to show that they have considered the potential risks to children presented by their sites and take appropriate precautions to prevent these. As with most aspects of the GDPR, businesses are advised to take a risk based approach and act early. This may require additional IT development work if access to certain parts of their website will need to be restricted to verified users. Businesses should also review marketing practices and online terms and conditions and make changes if necessary.
For more information, please get in touch with your usual Whitney Moore contact or any member of our Privacy and Data Protection team.