Children’s Data Under GDPR: Special Considerations and Requirements
The General Data Protection Regulation (GDPR), which came into effect in 2018, is widely regarded as one of the most comprehensive legislative measures on data protection and privacy rights in recent history. It has transformed how businesses handle personal data, holding them to stricter criteria and enhancing individuals’ privacy rights. While the regulation is applicable across industries and to anyone regardless of age, there are special considerations when it comes to processing children’s data. Children, often seen as vulnerable members of society, are granted extra protective measures under the GDPR. Organisations that collect, store, or use children’s data must be particularly mindful of GDPR’s provisions, as improper handling can have both legal and moral consequences.
Understanding these special mandates is essential for organisations to ensure compliance as well as to protect one of their most vulnerable user groups: children.
What Constitutes a Child’s Data?
Under GDPR, a child’s data is simply personal data belonging to an individual under the legal definition of a ‘child’. More specifically, any information that can be used to identify an individual under the age of 18, such as their name, email address, IP address, location data, and behavioural traits, qualifies as children’s data under the regulation. The GDPR’s provisions specify that children require extra safeguarding because they may not fully understand the implications of the data processing activities involving their information.
Personal data includes anything that identifies a child directly or indirectly. This can also extend to information on social media platforms, online games, or educational apps, all environments where children are becoming increasingly active participants.
Consent: Heightened Standards for Children
One of the most significant aspects of the GDPR as it pertains to children’s data is the standard for obtaining consent. Consent remains one of the six lawful bases on which businesses and organisations can process data under the GDPR. However, the regulation sets stricter rules for when this consent involves children.
If an organisation targets services directly at children — especially digital services like apps, social networks, or websites — explicit consent from a legal guardian or parent is required before processing the child’s personal data for users under 16. EU member states, however, have been granted flexibility to lower the age of consent in their jurisdictions to as low as 13. In the UK, for example, the Age Appropriate Design Code, a law that complements GDPR, has set the age for parental consent at 13.
Moreover, the process of obtaining consent must be transparent and easy to understand. This means that privacy policies and consent forms need to be written in clear, age-appropriate language. The GDPR mandates that consent be informed, specific, and unambiguous. Companies cannot use complex terminology that a child would be unable to grasp. In addition, “pre-ticked boxes” or ambiguous requests for consent are not considered valid under GDPR, especially for children.
The Concept of Children’s Digital Rights
The rise of digital environments has led to mass data collection facilitated by everything from smartphones to online learning apps. With children now engaging in more digital activities than ever, treating them as mere ‘data subjects’ without understanding the nuances of their digital rights could be problematic.
GDPR acknowledges children’s unique position in the digital world by explicitly recognising that children deserve specific protection when it comes to their data. This emphasis on children’s digital rights extends across the entire lifecycle of data processing: from collection, through usage, all the way to deletion.
A key principle of data protection under GDPR is that only the minimum necessary amount of data should be collected, particularly from children. This means organisations should not collect more data than needed for the activity a child is participating in, nor should they keep it longer than necessary. Children’s personal data should not be retained indefinitely; policies surrounding the safe and secure deletion of personal data are integral for compliance.
Profiling and Children: Strict Prohibitions
Profiling under GDPR involves the automated processing of personal data used to evaluate certain personal aspects of an individual. This can include behaviours, preferences, and interests. Given that profiling constitutes a direct engagement with personal data in a way that can influence a child’s future choices or opportunities, it receives extra scrutiny under GDPR.
Specifically, GDPR prohibits organisations from profiling children in a way that produces legal effects or similarly significant consequences. This largely halts the practice of certain forms of automated decision-making for children, especially in situations where it could affect them in a critical manner — for example, decisions concerning which advertisements they may see, or which educational opportunities might be offered based on predictive data models.
This restriction has major implications for businesses engaged in behavioural advertising or systemic algorithmic recommendations for children, signalling the importance of safeguarding young audiences from manipulative or poorly understood outcomes via profiling.
Data Breaches: A Heightened Responsibility for Organisations Processing Children’s Data
In the unfortunate event of a data breach, the consequences can be dire when children’s data is involved. GDPR mandates that organisations must notify relevant data protection authorities of a breach within 72 hours of its discovery. If the breach poses a high risk to individuals, the organisation must also notify affected individuals, outlining the types of data exposed, and the steps they will take to address the issue.
When children are involved, this responsibility is compounded by the recognition of their vulnerability. Any mishandling of their data raises further questions around ethical responsibilities, beyond mere legal compliance. Consideration must be given not only to informing the data subject but also to notifying parents or guardians when necessary to rectify the situation or mitigate any potential harm.
Parental Responsibility and the Rights of the Child
Though parents or guardians are often tasked with providing consent on behalf of their underage child, GDPR also recognises that children, at a certain point, should be able to exercise some control over their own data. An integral aspect of GDPR is allowing individuals, including children, to exercise their rights regarding their personal data. These rights include the right to object to data processing, the right to access personal data, and the right to have personal data erased.
The so-called “right to be forgotten” is especially vital in the context of children. If, upon reaching adulthood, an individual requests that their previously submitted data be erased, organisations must comply unless there is a strong legal justification for the continued retention of that data. This right empowers individuals who, after realising they may have agreed to a data-sharing process as a child, wish to either retract that consent or correct inaccuracies.
Moreover, data concerning a child must be handled in ways that respect not only the desire of the parents for security but also the growing autonomy of the child as they approach adulthood.
Consideration of Emerging Technologies and Children’s Data
One key area of concern for GDPR compliance related to children’s data comes with the evolution of emerging technologies. Virtual learning environments, AI-driven educational tools, and even connected toys have created new ways of interacting with children’s data. These technologies can collect significant amounts of sensitive data, including facial analytics, behavioural tracking, and even biometric data, potentially creating an unprecedented scope of data use.
Emerging technologies pose clear challenges for the protections that GDPR strives to ensure for children. As a result, businesses engaged in edtech and interactive children’s entertainment systems must commit to establishing clear, GDPR-compliant policies to mitigate potential risks. This includes applying data protection impact assessments to thoroughly analyse how these technologies may impact children’s privacy rights and implementing strong security and encryption measures.
Penalties for Noncompliance
Noncompliance with GDPR, particularly when it concerns children’s data, carries significant legal and financial consequences. Fines for violating GDPR can reach up to 4% of an organisation’s annual global turnover or €20 million, whichever is higher. Given the special protections children enjoy, lapses in data protection related to children could be more heavily scrutinised and result in harsher penalties.
In addition to financial penalties, reputational damage can be considerable when the mishandling of children’s personal data is made public. Consumers, parents, and stakeholders are becoming more sensitive to data privacy violations, and trust in an organisation can erode quickly following a high-profile breach or mishandling of data belonging to minors.
Conclusion
For organisations processing data that involves children, GDPR presents unique challenges. Businesses must ensure consent is appropriately obtained, that privacy policies are transparent and easy for a younger audience to comprehend, and that children’s data is not inappropriately retained, profiled, or mishandled.
At the heart of GDPR is the recognition that children are a vulnerable group requiring special attention. Any organisation collecting or using data from children must not only comply with the legal requirements but must also act ethically by fostering a strong culture of protecting children’s privacy.
With the rapidly changing technological landscape, the protections given under GDPR will continue to evolve, forcing companies to constantly assess their obligations and ensure enhanced safeguards for one of the most important demographics entrusted to their care. The responsibility to protect children’s data is a profound one — and under GDPR, it’s not one that can be taken lightly.