Children, Consent and the GDPR
There is a lot to be done to prepare for the GDPR coming into force. One area is the requirement for parental consent in relation to the provision of information society services to children under the age of 16.
Under English law children, once they are old enough to be able to form the intention to enter into a contract, have the ability to enter into contracts to buy most goods and services.
So, for example, a ten year old can buy sweets and stationery items from the newsagents. There are, of course, some goods which the law prohibits retailers from selling to persons under specified ages such as alcohol, tobacco, pets, lottery tickets and fireworks.
The General Data Protection Regulation, when it comes into force on 25 May 2018, will add to the list of exceptions. Article 8 provides that any processing of personal data in relation to an offer for the provision of “information society services” directly to a child aged under 16, where the lawful basis for processing is consent, is lawful only if and to the extent that the consent is given or authorised by the holder of parental responsibility over the child.
There is an obligation on the person offering the services to make reasonable efforts to verify that consent has been given by a “parent”. ‘Information society services’ includes most internet services provided at the user’s request, normally for remuneration.
The GDPR emphasises that protection is particularly significant where children’s personal information is used for the purposes of marketing and creating online profiles.Back to Our Thinking →