GDPR: Protecting children online

You’re no doubt well aware of GDPR by now, and with good reason.

The General Data Protection Regulation is considered to be the most far-reaching overhaul of data protection rules in a generation.

It will give internet users more control over their data and what sort of details companies can keep on file.

The so-called ‘right to be forgotten’ means any embarrassing pictures from years ago could finally be wiped from existence - or at least taken offline - and Europeans will be able to ask companies to divulge and delete any data they have about them.

Additionally, those irritating pop-up boxes on websites asking users to read and agree to terms and conditions will have to be clearer about what they’re signing up to and how internet companies use their data to target ads.

GDPR goes much deeper than that, but how it will protect the youngest internet users?

Age bands

While the US has the Children’s Online Privacy Protection Act since 1998, the European Union hasn’t had an independent law that addresses the protection of children’s data before GDPR - which takes effect from May 18, 2018.

Even then, the actual language is sort of vague. The GDPR says it has a wide focus on data protection for all natural persons, but the standards must be higher when the collection, use, and disclosure of data comes from children.

There is no distinction between child and adult data subjects in GDPR, but the ‘right to be forgotten’ is more relevant if the consent to data processing was given while a data subject was a child.

Hard time

Companies will have a harder time getting hold of data on children in the first place because, under GDPR, “processing of the personal data of a child” will only be legal for children aged at least 16.

If a child is under 16, companies will need consent from the child's parent or legal guardian to collect and process their data.

Furthermore, collecting data from children under the age of 13 is outright prohibited unless the organisation is an online preventive or counselling service.

Organisations must also make reasonable efforts, using whatever technology they have at their disposal, to verify that the person giving consent does indeed have parental responsibility for the child.

Simplifying jargon

GDPR means that companies won’t be able to make decisions about children based solely on automated processing if there’s the possibility that it will have a legal or similarly significant effect on them.

The circumstances in which GDPR allows companies to make such decisions are limited and only apply if they have suitable measures in place to protect the interests of the child.

In the past, pop-up windows requesting users to agree to T+Cs have often contained unattractive jargon that are hastily okay’ed to get to the good stuff.

However, once GDPR arrives, any notices appearing in these bothersome pop-ups must be written clearly and be age-appropriate for children.

Website operators would be wise to consult with children when designing their data processing practices too.

All this doesn’t mean that marketing to children will disappear overnight, but using the personal data of children for marketing purposes should not exploit any lack of understanding or vulnerability.

Marketing emails to children will also need to comply with the Privacy and Electronic Communications Regulations 2003.

In summary, GDPR should introduce an array of new valuable rules and benchmarks regarding the use of children's’ personal data.