Lawful use of data about children
The Law contains provisions (in section 10) designed to enhance the protection of personal data relating to a child under 13 years of age.
Where services are offered directly to a child, you must ensure that your data processing notice is written in a clear, plain way that a child will understand – see this page for an example of a child-friendly data processing notice). Regard must be given to the age of the child.
Consent in the context of online processing for a child under 13 years of age must be given or authorised by that child’s parent or guardian.
What do I need to do if I offer online services to children?
If you offer an ‘information society service’ (i.e. online service) to children, you will need to be mindful of the age of the child.
The Law states that if consent is your basis for processing the child’s personal data, a child under the age of 13 may not give that consent themselves and instead consent is required from a person holding ‘parental responsibility’.
‘Information society services’ includes most internet services provided at the user’s request, normally for remuneration.
Controllers are expected to ensure that protection is particularly significant and enhanced where children’s personal information is used for the purposes of marketing and creating online profiles.