Specific legislation regarding the processing of children’s data

On 25th May 2018, the new GDPR will introduce specific legislation regarding the processing of children’s data. The Information Commissioners Office (ICO) have published their draft guidance on children in the GDPR and is now seeking comments.

GDPR states that children’s data requires special consideration, and that where data is used for marketing purposes, particular attention must be paid. Children are more vulnerable than other individuals, particularly online, and may not be able to fully understand the risks associated with sharing their personal data. This is the first time that legislation has been specifically directed towards those who offer online services “directly to a child”.

Companies must have a legitimate reason for the processing of children’s data, for example the requirement to consent to website terms and conditions. As a result, this latest guidance focusses predominantly on consent.

Only children over the age of 13 may provide their consent (this is three years lower than some other countries in Europe, including France, Germany and the Netherlands who retain a consent age of 16). Companies seeking consent from those under the age of the 13 must obtain consent from someone with parental responsibility for the child. The GDPR requires that organisations take reasonable steps to verify that those offering consent do truly have parental responsibility for the child.

The GDPR also lays out an individual’s “right to erasure”, this is particularly pertinent to people who have given consent to sharing their data while still a child.

Additionally, companies must make it clear to children how they are going to use their data and write clear, age appropriate privacy notices for kids, using lots of images, cartoons or easily recognised symbols.

GDPR represents an active recognition of children’s rights when it comes to data processing. The current legislation, the Data Protection Act 1998, does not specifically mention children, although it does recognise them as individuals and applies to them as such.

The government’s new Data Protection Bill, which has its second reading in parliament on 5th March, will complement the GDPR and is expected to give added protection to children.

Companies working with children’s data must now review their procedures and make appropriate changes to ensure that they comply with the coming GDPR in May.