GDPR Age of Consent

In summary in the UK for a child to give consent to processing their personal data they must be at least age 13. There may be some variance between EEA member states.

Article 8 of the GDPR states that ‘Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

The UK’s Data Protection Act 2018 sets the age from which parental consent is not needed to process data online at age 13. This specification is in accordance with Article 8 of the GDPR.

It must also be remembered that recital 38 of the GDPR states that ‘The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.’

Section 9 of the Data Protection Act 2018 states that:

‘In Article 8(1) of the GDPR (conditions applicable to child’s consent in relation to information society services)—

references to “16 years” are to be read as references to “13 years”, and the reference to “information society services” does not include preventive or counselling services.’

To summarise article 7 of the GDPR consent must be:

• Freely given

• Clear

• Presented (or obtained) in a way distinguishable from other matters

• Withdrawable; capable of being withdrawn at any time

• Demonstrable; Necessary and proven by controllers.

The ICO also raise an important point regarding the GDPR: ‘The explicit emphasis on adapting privacy notices for children goes beyond what is currently required by the DPA. Data controllers processing children’s data will need to take account of the level of comprehension of the age groups involved and tailor their notices accordingly.’ - (ICO 23/05/2018)

For reference the GDPR can be read: here

#GPDRConsent #AgeofConsent