Guidelines 05/2020 on Consent under Regulation 2016/679 (GDPR)
Paragraph 7.1.4 Children’s consent and parental responsibility
136. Regarding the authorisation of a holder of parental responsibility, the GDPR does not specify practical ways to gather the parent’s consent or to establish that someone is entitled to perform this action. Therefore, the EDPB recommends the adoption of a proportionate approach, in line with Article 8 (2) GDPR and Article 5 (1 )(c) GDPR (data minimisation). A proportionate approach may be to focus on obtaining a limited amount of information, such as contact details of a parent or guardian.
137. What is reasonable, both in terms of verifying that a user is old enough to provide their own consent, and in terms of verifying that a person providing consent on behalf of a child is a holder of parental responsibility, may depend upon the risks inherent in the processing as well as the available technology. In low-risk cases, verification of parental responsibility via email may be sufficient. Conversely, in high-riskcases, it may be appropriate to ask for more proof, so that the controller is ableto verify and retain the information pursuant to Article 7(1) GDPR. Trusted third party verification services may offer solutions, which minimise the amount of personal data the controller has to process itself.
138. Example 23: An online gaming platform wants to make sure underage customers only subscribe to its services with the consent of their parents or guardians. The controller follows these steps:
139. Step 1: ask the user to state whether they are under or over the age of 16 (or alternative age of digital consent) If the user states that they are under the age of digital consent:
140. Step 2: service informs the child that a parent or guardian needs to consent or authorise the processing before the service is provided to the child. The user is requested to disclose the email address of aparent or guardian.
141. Step 3: service contacts the parent or guardian and obtains their consent via email for processing andtake reasonable steps to confirm that the adult has parental responsibility.
142. Step 4: in case of complaints, the platform takes additional steps to verify the age of the subscriber.
143. Step 5: If the platform has met the other consent requirements, the platform can comply with the additional criteria of Article 8 GDPR by following these steps.
144. The example shows that the controller can put itself in a position to show that reasonable efforts have been made to ensure that valid consent has been obtained, in relation to the services provided to a child. Article 8(2) particularly adds that “The controller shall make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.”
145. It is up to the controller to determine what measures are appropriate in a specific case. As a general rule, controllers should avoid verification solutions which themselves involve excessive collection of personal data.
146. The EDPB acknowledges that there may be cases where verification is challenging (for example where children providing their own consent have not yet established an ‘identity footprint’, or where parental responsibility is not easily checked. This can be taken into account when deciding what efforts are reasonable, but controllers will also be expected to keep their processes and the available technology under constant review.
147. With regard to the data subject’s autonomy to consent to the processing of their personal data andhave full control over the processing, consent by a holder of parental responsibility or authorized by aholder of parental responsibility for the processing of personal data of children can be confirmed, modified or withdrawn, once the data subject reaches the age of digital consent.
148. In practice, this means that if the child does not take any action, consent given by a holder of parental responsibility or authorized by a holder of parental responsibility for the processing of personal data given prior to the age of digital consent, will remain a valid ground for processing.
149. After reaching the age of digital consent, the child will have the possibility to withdraw the consent himself, in line with Article 7(3). In accordance with the principles of fairness and accountability, the controller must inform the child about this possibility.
150. It is important to point out that in accordance with Recital 38, consent by a parent or guardian is not required in the context of preventive or counselling services offered directly to a child. For examplethe provision of child protection services offered online to a child by means of an online chat servicedo not require prior parental authorisation.
151. Finally, the GDPR states that the rules concerning parental authorization requirements vis-à-vis minors shall not interfere with “the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child”. Therefore, the requirements for valid consent for the use of data about children are part of a legal framework that must be regarded as separate from national contract law. Therefore, this guidance paper does not deal with the question whether it is lawful for a minor to conclude online contracts. Both legal regimes may apply simultaneously, and, the scope of the GDPR does not include harmonization of national provisions of contract law.