Services Provided Directly to Children
Under the GDPR children are a special category of data subject, considered as being individuals under the age of 16. The GDPR also allows for EEA member states to revise that age, which the UK has done under the Data Protection Act 2018 that lowers that age to 13. Personal data for children requires specific protection as the individuals may be less aware of the risks, consequences and safeguards and/or their rights in relation to data processing. In particular, collection or use of personal data when the services are directly offered to a child, or marketing to a child, require special consideration and control. Note that where other EEA member states are targeted, the age limits may vary.
Any information or communication addressed to a child should be in clear and plain language that a child can easily understand. This can include the use of graphics and pictures to convey or support information.
You need to have a lawful basis for processing the personal data of a child. As with adults, any of the lawful bases can be used for processing personal data of children, although additional considerations may apply.
If relying on consent as the lawful basis when offering an online service directly to a child, only children aged 13 or over are able to provide their own consent. Reasonable efforts will need to be made to verify that the individual is at least 13 years old. Where the child is below this age, parent/guardian consent is required (with exceptions for preventive or counselling services provided online). Reasonable efforts will need to be made to verify the person providing consent does hold appropriate parental/guardian responsibility for the child.
Where relying upon contract as a lawful basis, the contract has to be simple and easily understood, and the child's competence to understand what they are agreeing to when entering into the contract needs to be considered.
If using the legitimate interest lawful basis, the same balance of interest versus rights applies as with any data subject, but the potential risk posed to the child may be different than with an adult.
Children have the same rights over their personal data as adults.
Privacy notices for services provided directly to children should be presented simply and clearly so that the child can understand what will happen to their personal data and what rights they have in relation to that processing. Note, however, that an individual's right to erasure is especially relevant where consent was given when they were a child.
Marketing services to children requires particular care. As with the earlier examples, communications need to be clear and simple. Any lack of understanding or vulnerability cannot be exploited. Children retain the right to object to processing data for direct marketing, so the means to object must be provided and processing must stop if requested by the child or someone acting on their behalf. Electronic marketing must also comply with the requirements of the Privacy and Electronic Communications Regulations 2003 (PECR).
Automated individual decision making should not be used where this has legal or similarly significant effects upon the child.
The ICO provides a comprehensive guide to Children and the GDPR.