Guidelines 05/2020 on Consent under Regulation 2016/679 (GDPR)

Section 7.1  Children (Article 8)

124. Compared to the current directive, the GDPR creates an additional layer of protection where personal data of vulnerable natural persons, especially children, are processed. Article 8 introduces additional obligations to ensure an enhanced level of data protection of children in relation to information society services. The reasons for the enhanced protection are specified in Recital 38:“ […] they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data […]” Recital 38 also states that “Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.” The words ‘in particular’ indicate that the specific protection is not confined to marketing or profiling but includes the wider ‘collection of personal data with regard to children’.

125. Article 8(1) states that where consent applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Regarding the age limit of valid consent the GDPR provides flexibility, Member States can provide by law a lower age, but this age cannot be below 13 years.

126. As mentioned in section 3.1. on informed consent, the information shall be understandable to the audience addressed by the controller, paying particular attention to the position of children. In order to obtain “informed consent” from a child, the controller must explain in language that is clear and plain for children how it intends to process the data it collects. If it is the parent that is supposed to consent, then a set of information may be required that allows adults to make an informed decision.

127. It is clear from the foregoing that Article 8 shall only apply when the following conditions are met:

a) The processing is related to the offer of information society services directly to a child.

b) The processing is based on consent.