Lawful use of data about children
The Law contains provisions (in section 10) designed to enhance the protection of personal data relating to a child under 13 years of age.
Where services are offered directly to a child, you must ensure that your data processing notice is written in a clear, plain way that a child will understand. Regard must be given to the age of the child.
Consent in the context of online processing for a child under 13 years of age must be given or authorised by that child’s parent or guardian.
What do I need to do if I offer online services to children?
If you offer an ‘information society service’ (i.e. online service) to children, you will need to be mindful of the age of the child.
The Law states that if consent is your basis for processing the child’s personal data, a child under the age of 13 may not give that consent themselves and instead consent is required from a person holding ‘parental responsibility’.
‘Information society services’ includes most internet services provided at the user’s request, normally for remuneration.
Controllers are expected to ensure that protection is particularly significant and enhanced where children’s personal information is used for the purposes of marketing and creating online profiles.
RELATED RESOURCES:
- UK ICO Children's Code resources: our UK counterpart, the Information Commissioner's Office (ICO) have a number of useful resources related to The UK's Children’s code (or Age appropriate design code to give its formal title). It is a data protection code of practice for online services, such as apps, online games, and web and social media sites, likely to be accessed by children.
- The EU's 'Better Internet for Kids' portal provides information, guidance and resources. In May 2022, the European Commission adopted a new strategy for a better internet for kids (BIK+) to ensure that children are protected, respected and empowered online in the new Digital Decade, in line with the European Digital Principles.