The General Data Protection Regulation (GDPR) has been in effect since May 2018 and has a significant impact on how organisations process personal data. This is particularly relevant when it comes to children’s personal data, which requires more thought and an even higher level of protection. This article will explore what the GDPR says about processing children’s personal data, best practices for organisations processing it, and the consequences of non-compliance with the obligations imposed by the GDPR.

The GDPR and its impact on processing children’s personal data

The GDPR defines personal data as any information that relates to an identified or identifiable natural person. Children’s personal data falls in the category of personal data and is subject to the same protections as any other personal data. However, children are considered vulnerable individuals, since they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of their personal data. Their status merits specific protection, making it necessary for organisations to take additional precautions when handling it.

One of the key requirements of the GDPR is the necessity of a lawful basis whenever personal data is being processed. The GDPR lists the six possibilities in Art. 6. In the case of the use of consent as the lawful basis in relation to information society services (e.g. social media, apps or online games) the GDPR has dedicated a separate article with special rules for the processing of a child’s personal data. Article 8 GDPR states that children below the age of 16 cannot give valid consent for their personal data to be processed. In such cases organisations must obtain the consent of the children’s parents or guardians. The GDPR allows EU member states to lower the age threshold to a minimum of 13 years. If we take Sweden as an example, consent of personal data by children below 13 years old requires the consent of a guardian, while children above the age of 16 have reached a level of maturity that should generally make it possible for them to give valid consent by themselves. For children in the age range of 13 to 16 the Swedish authority guide states that an assessment needs to be done on a case-by-case basis. Next to the age and maturity of the child, relevant factors for the assessment to determine whether the child can be considered to be able to understand the possible consequences of the processing are how sensitive the processed data is and how long it will be stored. Organisation must make reasonable efforts to verify that valid consent by the child or its guardian was obtained.

As per usual, valid consent for the processing of personal data means that it must be a clear, specific and informed affirmative action by the individual (or its guardian in this case). Particularly close attention should be paid to the consent form and privacy notice provided to children must be written in a language that is easy to understand and must provide all necessary information about the processing of their personal data. Even if the consent of a guardian is required the information provided to the guardian should state that the child should also be informed about the processing, since individual.

Best practices for organisations processing children’s data

Organisations handling children’s data must adhere to the data protection by design and by default principles. This means that privacy considerations must be built into all stages of the development of products and services, including the design and deployment phases. Organisations may also need to conduct a data protection impact assessment (DPIA) specific to children’s data to identify any potential risks to their privacy and implement appropriate measures to mitigate these risks.

Clear and concise privacy notices are essential for organisations that process children’s personal data. These notices must provide all necessary information about the processing of children’s personal data and must be written in a language that is easy to understand. Pictures with animals, cartoons, animated videos can be used to convey information to children. Organisations must also ensure that they have appropriate security measures in place to safeguard children’s data, such as encryption, access controls and regular backups.

It is crucial to regularly review and update policies and procedures related to children’s personal data processing to ensure continuous compliance with GDPR. This should include regular training for employees, assessments of security measures, and reviews of data retention procedures.

Consequences of non-compliance with GDPR in regards to children’s personal data

Organisations that fail to comply with obligations under the GDPR may face fines imposed by the regulator. If the GDPR violation includes personal data of children, this will be seen as an aggravating factor and will likely affect the size of the fine. It should also be noted that the GDPR allows supervisory authorities to restrict organisations to process personal data, which may have an even more fundamental impact on an organisation. Also here, the vulnerable nature of children will likely lead to a more hard-line approach by the authorities.

Two other potentially devastating consequences of breaching GDPR obligations, especially if they relate to children, are reputation damage, which can have long-lasting effects and lengthy and costly lawsuits which may be brought by individuals or organisations on their behalf.

In summary

It is crucial for organisations to be proactive and vigilant in protecting children’s personal data. The GDPR provides a framework for protecting personal data, including children’s data, and organisations must ensure that they are compliant with the obligations outlined in the regulation and related guidance. Children are seen as a vulnerable group which needs special protection. By understanding the obligations under the GDPR, implementing best practices for handling children’s personal data, and being aware of the consequences of non-compliance, organisations can protect the rights of children and ensure that their personal data is processed lawfully and responsibly.