Before collecting or processing data on a data subject, an organization must first get the data subject’s informed consent for any citizen of the EU or UK.
Informed consent is necessary to avoid hefty fines and penalties according to the regulations stipulated by the GDPR.
Consent is fairly simple when dealing with anyone over the age of eighteen. Yet, third-party consent is necessary when a minor is involved, which can complicate the matter significantly.
As complicated as it might be, consent is fundamental for minors, as it protects them from making decisions they are not mature enough to reasonably comprehend. Thus, this principle has been around for quite some time. When dealing with young people such as children and teenagers, what was once a fairly straightforward concept becomes significantly more complicated.
To better understand your responsibilities of acquiring a child’s consent for data collection and processing under the GDPR, this article covers the following topics:
- What are the Conditions of a Child’s Consent for Data Activities?
- Best Practices for Upholding the Conditions of a Child’s Consent
- Conclusion
To learn more about Data Privacy with Satori read our Data Privacy Guide.
What are the Conditions of a Child’s Consent for Data Activities?
Under the General Data Protection Regulation (GDPR), a child’s consent is only valid if the child is at least 16 years old. If the child is younger than 16 years old, the consent of a parent or guardian is required to process the child’s personal data. Member states can alter the minimum age for consent, however, the minimum age cannot be below 13 years old.
When acquiring consent from a parent or guardian, the data controller must verify consent is given by the parental authority of the child.
The GDPR specifies that when seeking the consent of a child, the controller (the entity that collects and processes personal data) must take into account the child’s age, maturity, and understanding. This means that the controller must use language that is appropriate for the child’s age and level of understanding. They also must provide the child with sufficient information to make an informed decision about giving consent.
In addition to the requirements for obtaining consent from children, the GDPR also includes specific provisions to protect the personal data of children. These provisions include the requirement to provide special protection for the personal data of children and to take into account the interests of the child when processing their personal data.
Overall, the GDPR places strict requirements on controllers when it comes to the processing of personal data, including the processing of children’s personal data. Controllers must ensure that they comply with these requirements to ensure that children’s rights are protected and to avoid fines and other penalties.
How Does a Data Controller Verify Parental Consent?
A data controller must make reasonable efforts to verify that they obtained valid consent from a parental authority to collect or process the personal data of any child in the EU or UK under the age of 16. To verify parental consent, the data controller must be able to provide evidence that the parental authority is informed and understands the processing of a child’s data and has provided explicit consent.
Best Practices for Upholding the Conditions of a Child’s Consent
Organizations need defined policies and procedures to consistently uphold the requirements of obtaining a child’s consent for data collection or processing under the GDPR. Organizations risk significant fines and penalties without specific procedures to ensure compliance. So, here are three best practices to help you maintain compliance:
Follow All Conditions of Consent Under the GDPR
In addition, to the conditions of consent for children, the GDPR also establishes specific conditions of consent that organizations must comply with to collect or process data from EU or UK citizens. These conditions of consent include three key factors:
- Consent to data activities is distinguishable from all other matters.
- Data subjects can withdraw consent at any time.
- Consent is given freely.
Complying with these conditions of consent puts you on the right track for fully complying with children’s consent requirements as well. On top of maintaining these conditions of consent, to process a child’s data, you must also create processes for collecting and verifying parental consent. This adds layer to your data consent forms where you can request age verification and parental consent. You must also be able to verify parental consent as effectively as modern technology allows.
Maintain Detailed Records of a Child's Consent Procedures
All procedures used to verify the age of your data subjects, verify the consent of parental authority and acquire consent from both the child and the parent must be documented. Since the GDPR stipulates the verification of parental authority based on technological limitations, your processes will change over time. By documenting these processes, you create a basis that can be improved upon as new technology evolves.
In addition to maintaining detailed records of your processes, also maintain detailed records of all child consent forms. These records can help minimize your liabilities under the GDPR should an authority determine a violation. You can use your records to show how your organization made an effort to follow all requirements.
Always Err on the Side of Caution
When deciding if the consent you received from a child is valid or not, always err on the side of caution, instead of including data subjects with questionable consent forms, choose to not handle or process this data. Incorporate this caution into your overall data consent forms and over data management systems.
Conclusion
Maintaining compliance with GDPR consent requirements is difficult enough when acquiring consent from adults. But, this process only becomes more complicated when acquiring a child’s consent for data collection and processing. Data controllers must strictly follow all GDPR requirements for verifying the consent of parental authority and maintain detailed documentation. Satori’s Data Security Platform helps simplify achieving your data compliance needs.
To learn more:
- Book a demo with one of our experts
- Read about our Data Privacy Guide