ICO guidance on children under GDPR
The ICO’s Guide to the GDPR has been updated to include guidance on Children and the GDPR, the public consultation for which ended on 28th February 2018.
There are number of important points, which I have summarised below:
If you are relying on consent as your lawful basis for processing personal
data, when offering an online service directly to a child, only children aged
13 or over are able provide their own consent.
For children under this age you need to get consent from whoever holds
parental responsibility for the child - unless the online service you offer is
a preventive or counselling service.
When relying on consent, you need to make sure that the child understands what they are consenting to, and that you do not exploit any imbalance in power in the relationship between you and them.
When relying on ‘necessary for the performance of a contract’, you must consider the child’s competence to understand what they are agreeing to, and to enter into a contract.
As a matter of good practice, you need to explain the risks inherent in the processing, and how you intend to safeguard against them, in a child friendly way, so that children (and their parents) understand the implications of sharing their personal data.
You tell children what rights they have over their personal data in language they can understand.
As a matter of good practice, if you are relying upon parental consent then you will offer two different versions of your privacy notices; one aimed at the holder of parental responsibility and one aimed at the child.