We #StandWithUkraine, find out how to help here.
Last updated: 25.10.17

How will GDPR affect data consent rules for minors

Why is Data Consent for minors so important?

For businesses that process the personal data of customers and clients, the question of data protection and consent is a complex issue, particularly when it comes to children and minors.

A failure to adopt best practice standards in terms of data security can lead to damaging consequences for customers and businesses alike even at the best of times, but when vulnerable young people are affected, it can lead to potentially irreversible reputational damage.

As such, the new EU-wide General Data Protection Regulation (GDPR) will be introducing a number of measures designed to raise standards when it comes to protecting the rights of young people, with harsh penalties in place for companies that fall short of the required standard. As such, it's essential that all organisations educate themselves on how the new data consent rules will work before they take effect from May 2018.

The basics of the new consent rules

One of the most basic tenets of the new GDPR rules is that of lawful processing - that is to say, ensuring that all companies that are processing personal data have explicit permission and a lawful basis for doing so.

Whereas in the past, implicit or opt-out consent checks were deemed permissible, the GDPR requires subjects to signal their consent through a statement or a clear affirmative action that has been freely given in a specific, informed and unambiguous way. This consent check must be separate from other terms and conditions, with simple methods offered to allow people to withdraw this permission at any time.

These regulations are even more exacting for companies that provide online services to children, as in these cases, the GDPR states that a person holding parental responsibility will have to be the one to provide consent. This makes it necessary for firms to provide privacy notices in clear, plain language that children can understand, as well as to make reasonable efforts to verify that a parent or guardian has provided the appropriate consent.

What age does GDPR apply to?

One aspect of the new GDPR that sometimes creates confusion is the exact age of consent, and the specific approach the regulations will take when it comes to defining what constitutes a "minor".

While it is true that the EU is a signatory to the UN Convention on the Rights of the Child, which defines a child as someone who is under the age of 18, the text of the GDPR uses the age of 16 as its cut-off point - a decision that was the result of several rounds of negotiation.

Previous drafts of the regulation set the age of consent at 13 years, in line with the US Children's Online Privacy Protection Act, but the final version opted for the age of consent to be set at 16 years, albeit with a stipulation that individual countries can set this threshold anywhere from 13 to 16 years if they choose. The British government subsequently confirmed through the UK Data Protection Bill that it will be adopting the lowered cut-off point of 13, so companies doing business in Britain will need to account for this.

What actions do companies need to take?

As with all elements of the GDPR, the consequences for a failure to comply can be extremely severe. Any companies found to be violating the new rules can be fined up to four per cent of their annual global turnover, or €20 million (£17 million) - in addition to the impact that such an offence can have on an organisation's reputation.

GDPR came into force in May 2018, and is enshrined in UK law to ensure the new legal framework continues to apply to British businesses even after Brexit. As such, it's essential for any companies that process personal data to take the necessary steps to achieve compliance as soon as possible.

This will mean conducting a thorough review of all the relevant company processes to make sure that no personal information is being processed without clear consent, and that any services designed to be accessed by children are designed in a way that makes it easy for families to understand how the new approach to permission works.

By implementing these measures at the first available opportunity, organisations can ensure they are prepared for the May deadline, and that they are able to maintain the hard-won trust of its clients and customers of all ages.

Summary: The introduction of the GDPR means parental consent is necessary before companies can process the personal data of minors, so it's essential that companies learn all they can about this process before the May 2018 deadline.


Related resources