{"id":6629,"date":"2023-05-30T13:11:31","date_gmt":"2023-05-30T11:11:31","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=6629"},"modified":"2025-02-07T11:19:47","modified_gmt":"2025-02-07T10:19:47","slug":"childrens-data-and-implementing-of-age-assurance-mechanisms","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/childrens-data-and-implementing-of-age-assurance-mechanisms\/","title":{"rendered":"Processing children\u2019s data and implementing age assurance mechanisms"},"content":{"rendered":"\n

It is undeniable that children (individuals under 18) take up a large portion of the online population. With more content being created to specifically target children, a UK study from Ofcom has shown that many start as young as 3 to 4 years old to consume content on video sharing platforms such as Youtube, and the majority of 8 to 11 years old have a social media account<\/a>. As a result, these platforms and services are processing vast amounts of children’s data, whether they intend to do so or not. <\/p>\n\n\n\n

Due to their age and general level of maturity and education, children are considered to be vulnerable and granted special rights in the eyes of the majority of jurisdictions. This is internationally recognised through, for example, the United Nations\u2019 Convention on the Rights of the Child<\/a>. This vulnerability is considered across different areas of legislation, including data protection, leading to specific provisions being included in the GDPR, such as Art. 8, laying the conditions for information society services to process children\u2019s data.<\/p>\n\n\n\n

Art. 8 GDPR\u2019s requirements and the age of digital consent<\/h2>\n\n\n\n

Art. 8 of the GDPR <\/a>is the only article that regulates the processing of children\u2019s personal data specifically. It provides that the processing of personal data of children is lawful when the child is at least 16 years old (age of digital consent), or, if below that age, only where consent has been given by the holder of parental responsibility for said child. The GDPR also allows for the individual member state to independently legislate on whether the age limit can be lower than 16, so long as it is no lower than 13. Countries such as Germany and the Netherlands have opted to stick to the standard already established by the GDPR, while others, including Belgium and the UK prior to its departure from the EU, have lowered the threshold to the lowest possible age of 13. Notably, the UK’s current data protection provision still maintains that the age of digital consent is 13.<\/p>\n\n\n\n

With this provision, the inevitable consequence is to first and foremost ensure that the age of a data subject is appropriately verified, in order to assess whether these rules apply and take the appropriate steps. However, recent cases and studies have shown that it is inherently difficult to gain consent of a parent or guardian, as there are no appropriate mechanisms in place to ensure that children are being truthful about their age.<\/p>\n\n\n\n

Growing concerns about the processing of children\u2019s data<\/h2>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

One of the main issues that information society services<\/a> face in regards to the processing of children\u2019s data, is that these services are not aware that many of the users are actually under the age of digital consent. So far, the majority of these platforms have been relying on relatively lax forms of self declaration, <\/em>meaning that the platforms offer services on the legal assumption that the user is responsible for declaring their age truthfully, which leads to users easily lying about their age<\/a> to gain access to platforms where no extra assurance is required. <\/p>\n\n\n\n

UK\u2019s Ofcom research has shown that for platforms such as TikTok and Facebook, which only required users to indicate their date of birth, the vast majority simply indicated a date of birth that would indicate that the user is older than they actually are<\/a>. The main issue with this is that this may set up young users to be exposed to content that is not safe for their age, and also expose them to unlawful collection of their personal data from these platforms. <\/p>\n\n\n\n

It is therefore unsurprising that Meta<\/a> and TikTok<\/a> have been the two biggest companies being fined for violations in regards to misuse of children\u2019s data by the Irish and UK\u2019s data protection authorities respectively. In fact, the UK\u2019s ICO noted that TikTok had been aware of the presence of under 13s in the platform but it had not taken the right steps to remove them. <\/p>\n\n\n\n

It becomes clear that the development and implementation of more stringent age assurance<\/em> techniques is necessary to ensure that personal data of children is only processed in accordance with GDPR standards. Whilst the EU is yet to come up with specific guidelines in regards to this matter, the UK has published the Children\u2019s Code, to be applied to online services likely to be accessed by children as a code of practice.<\/p>\n\n\n\n

Age assurance mechanisms<\/h2>\n\n\n\n
\n\n