The GDPR brings in many new regulations when it comes to children and their rights. In this module we will look at the changes and new points that have been added to further the protection of children’s data.
Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved. If you process children’s personal data, then you should think about the need to protect from the outset and design your systems and processes with this in mind.
Compliance with the data protection principles and in particular fairness should be central to all your processing of children’s data.
What should our general approach to processing children’s personal data be?
Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.
If you process children’s personal data, or think that you might, then you should consider the need to protect them from the outset and design your systems and processes with this in mind.
Fairness, and compliance with the data protection principles, should be central to all your processing of children’s personal data.
It is good practice to consult with children when designing your processing.
What do we need to think about when choosing a basis for processing children’s personal data?
As with adults, you need to have a lawful basis for processing a child’s personal data and you need to decide what that basis is before you need processing.
You can use any of the lawful bases for processing set out in the GDPR when processing children’s personal data. But for some bases there are additional things you need to think about when your data subject is a child.
If you wish to rely upon consent as your lawful processing, then you need to ensure that the child can understand what they are consenting to, otherwise the consent is not ‘informed’ and therefore invalid. There are also some additional rules for online consent.
If you wish to rely upon ‘performance of a contract’ as your lawful basis for processing, then you must consider the child’s competence to agree to the contract and to understand the implications of this processing.
If you wish to rely upon legitimate interests’ as your lawful basis for processing you must balance your own (or a third party’s) legitimate interests in processing the personal data against the interests and fundamental rights and freedoms of the child. This involves a judgement as to the nature and purpose of the processing and potential risks it poses to children. It also requires you to take appropriate measures to safeguard against those risks.
What are the rules about an ISS and consent?
Consent is not the only basis for processing children’s personal data in the context of an ISS. However, if you do rely upon consent as your lawful basis for processing personal data when offering an ISS directly to children, in the UK only children aged 13 or over can consent for themselves. (This is the age proposed in the Data Protection Bill and is subject to Parliamentary approval). You therefore need to make reasonable efforts to verify that anyone giving their own consent in this context is old enough to do so.
For children under this age you need to get consent from whoever holds parental responsibility for them – unless the ISS you offer is an online preventive or counselling service.
You must make reasonable efforts (using available technology) to verify that the person giving consent does, in fact, hold parental responsibility for the child.
You should regularly review the steps you are taking to protect children’s personal data and consider whether you are able to implement more effective verification mechanisms when obtaining consent for processing.
What if we want to market to children?
Children merit specific protection when you are using their personal data for marketing purposes. You should not exploit any lack of understanding or vulnerability.
They have the same rights as adults to object to processing their personal data for direct marketing. So, you must stop doing this if a child (or someone acting on their behalf) asks you to do so.
If you wish to send electronic marketing messages to children, then you also need to comply with the Privacy and Electronic Communications Regulations 2003.
What if we want to profile children or make automated decisions about them?
In most circumstances you should not make decisions about children that are based solely on automated processing, (including profiling) if these have a legal effect on the child, or similarly significantly affect them.
The GDPR gives children the right not to be subject to this type of decision. Although there are exceptions to this right, they only apply if suitable measures are in place to protect the rights, freedoms and legitimate interests of the child.
If you profile children, then you must provide them with clear information about what you are doing with their personal data. You should not exploit any lack of understanding and vulnerability.
It is possible for behavioural advertising to ‘similar significantly affect’ a child, it depends on the nature of the choices and behaviour it seeks to influence.
How does the right to be informed apply to children?
You must provide children with the same information about what you do with their personal data as you give adults. It is good practice to also explain the risks inherent in the processing and the safeguards you have put in place.
You should write in a concise, clear and plain style for any information you are directing to children. It should be age-appropriate and presented in a way that appeals to a young audience.
If you are relying upon parental consent as your lawful basis for processing it is good practice to provide separate privacy notices aimed at both the child and the responsible adult.
If you provide an ISS and children younger than your target age range are likely to try and access it then it is good practice to explain any age limit to them in language they can understand.
Children have the same rights as adults over their personal data and can exercise their own rights as long as they are competent to do so. Where a child is not considered to be competent, an adult with parental responsibility may exercise the child’s data protection rights on their behalf.
How does the right to erasure apply to children?
Children have the same right to have their personal data erased as adults.
This right is particularly relevant when an individual originally give their consent to processing when they were a child, without being fully aware of the risks.
One of the specified circumstances in which the right to erasure applies is when you collected the personal data of a child under the lawful basis of consent, when offering an ISS directly to a child.
It should generally be as easy for a child to exercise their right to erasure as it was for them to provide their personal data in the first place.
When it comes to the GDPR and children there are certain things you should know/have in place.
• You comply with all requirements of the GDPR, not just those specifically relating to children and included in this checklist
• You design your processing with children in mind from the outset and use a data protection by design and by default approach
• You make sure that your processing is fair and complies with the data protection principles
• As a matter of good practice, we use DPIAs to help us assess and mitigate the risks to children
• If your processing is likely to result in a high risk to the rights and freedom of children, then we always do a DPIA
• As a matter of good practice, you consult with children as appropriate when designing your processing.
Bases for processing a child’s personal data
• When relying on consent, you make sure that the child understands what they are consenting to, and you do not exploit any imbalance in power in the relationship between us
• When relying on ‘necessary for the performance of a contract’; you consider the child’s competence to understand what they are agreeing to, and to enter into a contract
• When relying upon ‘legitimate interests’, you take responsibility for identifying the risks and consequences of the processing and put age appropriate safeguards in place.
Offering an information Society Service (ISS) directly to a child, on the basis of consent
• If you decide not to offer your ISS (online service) directly to children, then we mitigate the risk of them gaining access, using measures that are proportionate to the risks inherent in the processing.
• When offering ISS to UK children on the basis of consent, you make reasonable efforts (taking into account the available technology and the risks inherent in the processing) to ensure that anyone who provides their own consent is at least 13 years old.
• When offering ISS to UK children on the basis of consent, you obtain parental consent to the processing for children who are under the age of 13 and make reasonable efforts (taking into account the available technology and risks inherent in the processing) to verify that the person providing consent holds parental responsibility for the child
• When targeting wider European markets, you comply with the age limits applicable in each Member State
• You regularly review available age verification and parental responsibility verification mechanisms to ensure you are using appropriate current technology to reduce risk in the processing of children’s personal data
• You don’t seek parental consent when offering online preventive or counselling services to a child.
• When considering marketing children, you take into account their reduced ability to recognise and critically assess the purposes behind the processing and the potential consequences of providing their personal data.
• You take into account sector specific guidance on marketing, such as that issued by the Advertising Standards Authority, to make sure that children’s personal data is not used in a way that might lead to their exploitation
• You stop processing a child’s personal data for the purposes of direct marketing if they ask us to.
• You comply with the direct marketing requirements of the Privacy and Electronic Communications Regulations (PECR)
Solely automated decision making (including profiling)
• You don’t usually use children’s personal data to make solely automated decisions about them if these will have a legal or similarly significant effect upon them
• If you do use children’s personal data to make such decisions then you make sure that one of the exceptions in Article 22.2 applies and that suitable, child appropriate, measures are in place to safeguard the child’s rights, freedoms and legitimate interests.
• In the context of behavioural advertising, when deciding whether a solely automated decision has been similarly significant effect upon a child, you take into account: the choices and behaviours that you are seeking to influence; the way in which these might affect the child; and the child’s increased vulnerability to this form of advertising; using wider evidence on these matter to support assessment.
• You stop any profiling of a child that is related to direct marketing if they ask you too.
• Your privacy notices are clear, and written in plain, age-appropriate language
• You use child friendly ways of presenting privacy information, such as: diagrams, cartoons, graphics and videos, dashboards, layered and just-in-time notices, icons and symbols.
• You explain to children why you require the personal data you have asked for, and what you will do with it, in a way which they can understand
• As a matter of good practice, you explain the risks inherent in the processing and how you intend to safeguard against them, in a child friendly way, so that children (and their parents) understand the implications of sharing their personal data.
• You tell children what rights they have over their personal data in language they can understand
• As a matter of good practice, if you are relying upon parental consent then you offer two different versions of your privacy notices; one aimed at the holder of parental responsibility and one aimed at the child themselves.
The child’s data protection rights
• You design the processes by which a child can exercise their data protection rights with the child in mind and make them easy for children to access and understand.
• You allow competent children to exercise their own data protection rights.
• If your original processing was based on consent provided when the individual was a child, then you comply with requests for erasure whenever you can.
• You design your processes so that, as far as possible, it is as easy for a child to get personal data erased as it was for them to provide it in the first place.