Children's Data Protection: Special Requirements Under GDPR
Children merit specific protection under GDPR because they may be less aware of risks and consequences associated with data processing. Organizations offering services to children, or likely to have children as users, face additional requirements around consent, transparency, and data protection.
Key Takeaways
| Point | Summary |
|---|---|
| Age of consent | Varies by Member State: 13-16 years for information society services |
| Parental consent | Required for children below the digital age of consent |
| Enhanced transparency | Information must be in language children can understand |
| Profiling restrictions | Automated decision-making affecting children requires extra caution |
| Marketing limitations | Targeting children with marketing faces particular scrutiny |
Quick Answer: If your service is directed at or likely to be used by children, you need parental consent for users under the digital age of consent (13-16 depending on country), age verification mechanisms, and child-friendly privacy information. Marketing to children and profiling require particular care.
Age of Consent by Country
GDPR allows Member States to set their own digital age of consent between 13 and 16 years:
| Age | Countries |
|---|---|
| 13 years | Belgium, Denmark, Estonia, Finland, Latvia, Malta, Portugal, Sweden, UK |
| 14 years | Austria, Bulgaria, Cyprus, Italy, Lithuania, Spain |
| 15 years | Czech Republic, France, Greece, Slovenia |
| 16 years | Croatia, Germany, Hungary, Ireland, Luxembourg, Netherlands, Poland, Romania, Slovakia |
Note: This applies specifically to "information society services" offered directly to children. Other processing may have different rules.
When Do These Rules Apply?
Information Society Services
The child-specific rules in Article 8 apply to "information society services offered directly to a child." This includes:
| Included | Not Included |
|---|---|
| Social media platforms | Offline services |
| Online gaming | General websites (not requiring registration) |
| Apps requiring registration | Services clearly for adults |
| Streaming services | B2B services |
| E-commerce platforms | Educational services (often exempt) |
Services Likely to Be Used by Children
Even if not specifically directed at children, services likely to have child users should consider:
- Whether age-gating is appropriate
- How to handle children who access the service
- Age-appropriate privacy information
Parental Consent Requirements
When Required
Parental consent is required when:
- The service is an information society service
- Offered directly to the child
- The child is below the applicable age of consent
- Consent is the legal basis for processing
Verifiable Consent
GDPR requires "reasonable efforts" to verify that consent is given or authorized by the holder of parental responsibility:
| Method | Suitability |
|---|---|
| Credit card verification | Higher assurance, but barrier to access |
| Email confirmation | Lower assurance, easily circumvented |
| Knowledge-based questions | Moderate assurance |
| Video verification | High assurance, significant friction |
| ID verification | High assurance, privacy concerns |
Proportionality applies: The verification method should be appropriate to the risks of the processing and the available technology.
Practical Considerations
| Challenge | Approach |
|---|---|
| Children may lie about age | Implement age-gating; accept reasonable verification |
| Parents may not engage | Make consent process as simple as possible |
| Verification creates friction | Balance protection with usability |
| International variation | Implement for strictest applicable standard or vary by country |
Transparency for Children
Child-Friendly Privacy Information
Information provided to children must be in clear, plain language that children can understand:
| Standard Privacy Notice | Child-Friendly Approach |
|---|---|
| Legal terminology | Simple words |
| Long paragraphs | Short sentences |
| Abstract concepts | Concrete examples |
| Text-only | Visual aids, icons, videos |
| Single format | Layered information |
Content to Communicate
| Topic | How to Explain |
|---|---|
| What data is collected | "We collect your name and email" |
| Why | "So you can play games and save your progress" |
| Who sees it | "Only we see your information, unless you share it" |
| How long kept | "We keep your information while you use [service]" |
| Rights | "You can ask us to delete your account" |
| Contact | "Talk to your parents or email us at..." |
Profiling and Automated Decisions
Restrictions on Profiling Children
GDPR Recital 71 states that profiling children should not be the basis for automated decisions producing legal or similarly significant effects.
| Activity | Consideration |
|---|---|
| Behavioral advertising | Generally inappropriate for children |
| Content recommendation | May be acceptable if not for advertising |
| Age-appropriate content filtering | Generally acceptable |
| Personalized pricing | Avoid for children |
| Credit decisions | Not applicable (children can't contract) |
Practical Guidance
| Approach | Implementation |
|---|---|
| Minimize profiling | Limit data collection and analysis for children |
| Context-only recommendations | Base on current session, not historical profile |
| Avoid advertising profiles | Don't build marketing profiles for children |
| Human review | Ensure human oversight of significant decisions |
Marketing to Children
General Principles
Marketing to children faces particular regulatory scrutiny:
| Principle | Application |
|---|---|
| No exploitation | Don't exploit children's inexperience or credulity |
| Transparency | Marketing must be clearly identifiable as such |
| Consent | Marketing generally requires opt-in consent |
| Parental involvement | Parents should be aware of marketing exposure |
Behavioral Advertising
Behavioral advertising to children is strongly discouraged or prohibited:
- UK ICO Children's Code prohibits behavioral advertising to under-18s
- EDPB guidance suggests profiling children for marketing is generally inappropriate
- Many Member States have additional restrictions
Age-Appropriate Design Codes
Several jurisdictions have implemented codes of practice for services likely to be used by children:
UK Age Appropriate Design Code (Children's Code):
- 15 standards for online services
- Best interests of the child paramount
- Default high privacy settings
- No profiling by default
- No behavioral advertising
Data Minimization for Children
Enhanced data minimization principles apply:
| Principle | Application |
|---|---|
| Collect minimum | Only essential data for service delivery |
| No unnecessary identifiers | Consider if real names are needed |
| Limited retention | Shorter retention periods appropriate |
| No unnecessary sharing | Minimize third-party data sharing |
Rights of Children and Parents
Who Can Exercise Rights?
| Scenario | Rights Holder |
|---|---|
| Child below age of consent | Parent/guardian exercises rights |
| Child at/above age of consent | Child exercises own rights |
| Mixed situations | Consider capacity and context |
Specific Rights Considerations
| Right | Consideration for Children |
|---|---|
| Access | Provide in child-friendly format |
| Deletion | Lower bar for demonstrating deletion is appropriate |
| Objection | Particularly relevant for profiling |
| Portability | May be important for switching services |
Age Verification and Gating
Approaches to Age Verification
| Approach | Pros | Cons |
|---|---|---|
| Self-declaration | Simple, low friction | Easily circumvented |
| Birth date entry | Standard practice | Easily falsified |
| Neutral age gate | Doesn't suggest "correct" answer | Still easily bypassed |
| Parental email verification | Involves parents | Children may use parents' email |
| Third-party age verification | More reliable | Privacy concerns, friction |
| AI age estimation | Scalable | Accuracy concerns, privacy issues |
Best Practices
| Practice | Implementation |
|---|---|
| Neutral phrasing | Ask "What is your date of birth?" not "Are you over 16?" |
| No retry indication | Don't reveal that age blocked access |
| Appropriate friction | Higher assurance for higher-risk processing |
| Design for compliance | Assume some children will access; design accordingly |
Implementation Checklist
For Services Directed at Children
- Determine applicable age of consent for target markets
- Implement appropriate age verification
- Build parental consent mechanism
- Create child-friendly privacy information
- Configure privacy-protective defaults
- Disable behavioral advertising and profiling
- Minimize data collection
- Implement appropriate retention periods
- Train support staff on handling children's data
- Conduct DPIA for child-directed features
For Services Likely to Have Child Users
- Assess likelihood of child users
- Implement age-gating where appropriate
- Provide child-friendly information option
- Consider disabling higher-risk features for children
- Plan for parental consent where applicable
- Document approach to children's data
How Bastion Helps
Children's data protection involves navigating complex requirements that vary by jurisdiction and service type. Working with experienced partners helps ensure your approach protects children appropriately while remaining practical.
| Challenge | How We Help |
|---|---|
| Regulatory Analysis | Guidance on which requirements apply to your specific service |
| Age Verification | Recommendations for proportionate age verification approaches |
| Consent Mechanisms | Design and implementation of parental consent processes |
| Privacy Information | Support creating child-friendly privacy communications |
| DPIA | Assessment of risks specific to children's data processing |
| International Compliance | Navigating varying age thresholds and requirements |
Getting children's data protection right matters both for compliance and for building trust with families. Expert support helps ensure your approach is appropriate to your specific context.
Questions about children's data protection requirements? Talk to our team →
Sources
- GDPR Article 8 (EUR-Lex) - Conditions applicable to child's consent
- EDPB Guidelines on Consent - Including guidance on children's consent
- UK ICO Age Appropriate Design Code - Children's code of practice