Children’s personal data

The GDPR contains new provisions intended to enhance the protection of children’s personal data.

Privacy notices for children

Where services are offered directly to a child, you must ensure that your privacy notice is written in a clear, plain way that a child will understand.

Online services offered to children

If you offer an ‘information society service’ (ie online service) to children, you may need to obtain consent from a parent or guardian to process the child’s data.

The GDPR states that, if consent is your basis for processing the child’s personal data, a child under the age of 16 can’t give that consent themselves and instead consent is required from a person holding ‘parental responsibility’ – but note that it does permit member states to provide for a lower age in law, as long as it is not below 13.

‘Information society services’ includes most internet services provided at the user’s request, normally for remuneration. The GDPR emphasises that protection is particularly significant where children’s personal information is used for the purposes of marketing and creating online profiles.

Parental/guardian consent is not required where the processing is related to preventative or counselling services offered directly to a child.