As children have become more financially active at an early age, marketers have begun to interact with them directly, rather than through their parents or guardians. Although not specifically included in the Data Protection Directive’s definitions of sensitive data, information relating to children clearly needs careful handling.
Deciding what is acceptable in terms of processing children’s data for marketing purposes depends on their age and ability to understand the consequence of their actions. What is regarded as appropriate for a child under 12 is very different from that which would be acceptable for a 16 year old. When scripting data collection statements, the wording used must be readily understandable and children should not be asked to surrender information about adults for marketing purposes.
In the UK, the Information Commissioner’s Office has created specific guidance for collection notices directed at children. The guidance says that children under 12 years of age should not be asked to surrender data without the explicit and verifiable consent of the child’s parent/guardian. A notice informing children of the requirement for parental or guardian’s consent must be shown at the point where a child’s personal information is requested. In order to verify this consent has genuinely been given by the adult, a follow up communication should be sent to the parent or guardian stating that the child’s permission has been captured and offering a further opt-out opportunity. The over 12s do not need parental consent but the language used to collect their data should be suitably clear.
In general, access to special offers or websites should not be contingent on the collection of personal information from children and companies should not attempt to entice children to divulge personal information with the prospect of a special prize or other offer. The general susceptibility of children should never be exploited in an attempt to gain information about them or their family circumstances.
It is worth remembering that orders for goods or services must not be accepted from children under 16 without first obtaining a parent/teacher’s verifiable and explicit consent. Trading in children’s data for list rental purposes without explicit consent from an adult breaches best practice guidelines and it goes without saying that data concerning children should be subject to particularly stringent security measures.
Published June 2015
Note: Under the General Data Protection Regulation (GDPR) which will be implemented on 25th May 2018, this will change. In Article 8 (1) of the new Regulation it states “the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.” However it further states “member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.”
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.