Where services are offered directly to a child, data controllers must make sure that privacy notices are written in a clear, plain way that a child will understand. Although the Regulation calls for similar rules about clear language in general, it’s important that data controllers know the age of the intended audience and provide an appropriately phrased notice.
The reason for these rules, the GDPR states, is because children “may be less aware of the risks, consequences and safeguards” of handing over their personal details. The Regulation emphasizes that this is particularly the case with services offered directly to a child, and when children’s personal data is used for marketing purposes and creating online profiles.
Data controllers don’t need to seek the consent of parental figures when the processing is related to preventive or counseling services offered directly to the child.
Some of the pertinent sections in the GDPR that mention children are included below;
GDPR Article 12 - Transparency and modalities
Transparent information, communication and modalities for the exercise of the rights of the data subject
Paragraph 1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
GDPR Citation (38) Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.
GDPR Citation (58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
GDPR Citation (65) A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. .."
GDPR Article 8 - Conditions applicable to child's consent in relation to information society services
1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
GDPR Article 4 Definitions
(25) ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (1);
Directive (EU) 2015/1535 of the European Parliament and of the Council - Article 1 ;
1. For the purposes of this Directive, the following definitions apply:
(a)‘product’ means any industrially manufactured product and any agricultural product, including fish products;
(b)‘service’ means any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
For the purposes of this definition:
(i)‘at a distance’ means that the service is provided without the parties being simultaneously present;
(ii)‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;
(iii)‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.
Indicative list of services not covered by the second subparagraph of point (b) of Article 1(1)
1. Services not provided ‘at a distance’
Services provided in the physical presence of the provider and the recipient, even if they involve the use of electronic devices:
(a)medical examinations or treatment at a doctor's surgery using electronic equipment where the patient is physically present;
(b)consultation of an electronic catalogue in a shop with the customer on site;
(c)plane ticket reservation at a travel agency in the physical presence of the customer by means of a network of computers;
(d)electronic games made available in a video arcade where the customer is physically present.
2. Services not provided ‘by electronic means’
services having material content even though provided via electronic devices:
(a)automatic cash or ticket dispensing machines (banknotes, rail tickets);
(b)access to road networks, car parks, etc., charging for use, even if there are electronic devices at the entrance/exit controlling access and/or ensuring correct payment is made,
offline services: distribution of CD-ROMs or software on diskettes,
services which are not provided via electronic processing/inventory systems:
(a)voice telephony services;
(c)services provided via voice telephony or fax;
(d)telephone/telefax consultation of a doctor;
(e)telephone/telefax consultation of a lawyer;
(f)telephone/telefax direct marketing.
3. Services not supplied ‘at the individual request of a recipient of services’
Services provided by transmitting data without individual demand for simultaneous reception by an unlimited number of individual receivers (point to multipoint transmission):
(a)television broadcasting services (including near-video on-demand services), covered by point (e) of Article 1(1) of Directive 2010/13/EU;
(b)radio broadcasting services;