- What do we need to do if we intend to use children’s personal data to offer an online service to a child?
- What does Article 8 say?
- What is the definition of an ISS?
- When is an ISS ‘offered directly to a child’?
- When does the UK age limit apply?
- What does Article 8 of the GDPR require?
- What do we have to do if we offer an ISS directly to children?
- What does ‘reasonable efforts’ mean?
- What about children's consent and cookies?
What do we need to do if we intend to use children’s personal data to offer an online service to a child?
If you intend to use children’s personal data to offer an online service to a child then you must do a DPIA to establish whether your processing will result in a high risk to the rights and freedoms of your data subjects. This is because offering online services to children is one of the circumstances that the ICO considers is likely to result in such a risk. For further guidance please see our detailed guidance on Data Protection Impact Assessments.
Article 8 of the GDPR applies where you are offering an information society service (ISS) directly to a child. It does not require you to always get consent for the processing of children’s personal data in this context, but if you choose to rely on consent it sets out further conditions as follows:
“1. Where point (a) of Article 6(1) applies in relation to the offer of information society services directly to a child the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member states may provide by law for a lower age for these purposes provided that such lower age is not below 13 years.
2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.”
The basic definition of an ISS in Article 1(1)(b) of Directive (EU) 2015/1535 is:
“any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
For the purposes of this definition:
(i) ‘at a distance’ means that the service is provided without the parties being simultaneously present;
(ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;
(iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.”
Essentially this means that most online services are ISS, even if the ‘remuneration’ or funding of the service doesn’t come directly from the end user. For example an online gaming app or search engine that is provided free to the end user but funded via advertising still comes within the definition of an ISS.
It generally includes websites, apps, search engines, online marketplaces and online content services such as on-demand music, gaming and video services and downloads. It does not include traditional television or radio transmissions that are provided via general broadcast rather than at the request of an individual.
If you are uncertain whether your service is an ISS or not then we recommend you take your own legal advice, or refer to the following ‘further reading’ which provides more detailed clarification.
2000/31/EC (the Directive on electronic commerce: recital 18)
CJEU Judgement Ker-Optika, Dec 2010 (C-108/09, paragraphs 22 and 28)
CJEU Judgement Uber, May 2017 (C-434/15, paragraphs 30-37).
If an ISS is only offered through an intermediary, such as a school, then it is not offered ‘directly’ to a child.
Any other ISS which explicitly states that it is for children, or has children of any age as its target audience is clearly being offered directly to a child.
The ICO also considers an ISS is offered directly to a child when it is made available to all users without any age restrictions or when any age restrictions in place allow users under the age of 18.
If an ISS is only made available to users who are aged 18 and over then it is not being offered directly to a child. However, if your ISS states that it has such an age limit then, in the event of a complaint, we may look for evidence that the limit is applied in practice, and not just in theory, when deciding whether Article 8 applies. We may consider evidence such as site content, marketing plans, systems or processes designed to limit access, and information provided to users, in this respect.
This means that you need to carefully consider your target audience, and be clear about what age group you intend to allow to access your ISS. If you decide not to offer your ISS to children then you need to consider how to mitigate the risk of them gaining access, using measures that are proportionate to the data protection risks inherent in the processing.
Because online processing of children’s personal data is likely to be high risk processing you must use a data protection impact assessment to help you in this task and to evidence and explain your approach to processing.
Article 8 of the GDPR allows Member States to decide the age at which children can consent to the processing of their personal data in the context of an ISS, at national level. The UK has set this limit at age 13, but other Member States have set different age limits.
This means that ISS providers that have an establishment anywhere within the European Union (EU) need to respect the differing age limits of the different Member States. In practice this may mean that the child needs to select, or confirm which country they are in each time they provide your ISS with their personal data, so that you know which age limit to apply. If you have an establishment anywhere in the EU the ICO expects you to respect the UK age limit when you process the personal data of UK based children. Similarly if you are a UK based ISS provider we expect you to respect other Member States’ age limits when you process the personal data of children based elsewhere in the EU.
If you are an ISS provider who does not have an establishment anywhere within the EU, but you actively seek or pursue the use of your service by European based children, we expect you to respect the UK age limit when you process the personal data of UK based children.
If you do not have an establishment anywhere in the EU and you don’t actively seek or pursue the use of your service by European based children you don’t need to meet the different Member State requirements as your processing falls outside the territorial scope of the GDPR.
In circumstances where you are offering an ISS directly to children and you wish to rely upon consent as your lawful basis for processing their personal data, Article 8 of the GDPR (as implemented in the UK) provides that:
- only children aged 13 years and over may lawfully provide their own consent for the processing of their personal data;
- an adult with parental responsibility must provide consent for processing if the child is under 13; and
- in such cases you must make reasonable efforts, taking into consideration available technology, to verify that the person providing parental consent does, in fact, hold parental responsibility for the child.
If your ISS is an online preventive or counselling service Section 9 of the Data Protection Act 2018 provides that the Article 8 requirements do not apply and Recital 38 of the GDPR says that parental consent should not be required. This indicates that in this context either it will be in the best interests of the child to accept their own consent or that another basis for processing (such as public task or legitimate interests) may be more appropriate.
If you offer your ISS directly to children and wish to rely upon consent as your lawful basis for processing, then you have to make sure that anyone providing their own consent to the processing is old enough to do so. Although the GDPR does not contain an explicit ‘age of consent’ verification requirement, this is the implication of Article 8. If you do not verify this then this may result in you processing a child’s personal data without valid consent. You do not have to verify the exact age of the data subject in this context: you only need to establish that they are old enough to provide their own consent.
As there is no ‘reasonable efforts’ qualification to obtaining valid consent, it remains a matter of fact whether you have obtained the lawful consent of someone who is able to give it for themselves or not. However, in practice, in the event of a complaint, we will consider whether you have made reasonable efforts to verify that the data subject is old enough to provide their own consent, taking into account the risks inherent in the processing and the available technology.
The GDPR also explicitly requires you to make reasonable efforts, taking into consideration the available technology, to verify that any person giving consent on behalf of a child who is too young to provide their own consent, does in fact hold parental responsibility over the child.
A data protection impact assessment should help you to decide what steps you need to take to verify age and parental responsibility. It may also help you to evidence that they are reasonable in the event of a complaint to the Commissioner.