Consent and children’s data

• If you provide information society services (e.g. web shops, video-sharing platforms, social networking sites, search engines etc.) to a child while relying on consent as the legal basis for the processing, you need to undertake reasonable efforts to obtain and verify parental consent when it concerns users below the age of 16. Reasonable effort should be determined by considering existing technology and the circumstances such as resources and level of risk. Depending on the Member State where you operate, a different age limit may apply as Member States can lower the age limit for parental consent down to 13 years old.
   

• Take note that this rule only applies if the services are offered directly to the child, meaning that they either exclusively address children or explicitly focus on them.
   

• Also, it does not mean that you always must obtain parental consent for users under the chosen age limit. Only if you make your service available to children, and you rely on consent as your lawful basis (e.g. for any non-core processing, cookies or similar technologies or processing of special category data).

 

 

Useful link

​

• ICO has issued a code on Age appropriate design: a code of practice for online services, which provides practical guidance on how to ensure your online services appropriately safeguard children’s personal data. Following this code will assist you to process children’s data fairly.