Children & consent

For the first time, the GDPR brings in special protection for children’s personal data, particularly in the context of internet services such as social networking. If your business offers online services to children and relies on consent to collect information about them, then you may need the consent of a parent or guardian in order to process that personal data lawfully. The GDPR makes it clear that protection is particularly significant where personal data relating to children is used for marketing purposes or for creating online profiles.


When can a child give consent?

The GDPR sets the age when a child can give their own consent to the processing of their personal data at 16. However, the UK has lowered this (through the Data Protection Act 2018) to a minimum of 13.


If you choose to rely on children’s consent, you will need to implement age-verification measures, and make reasonable efforts to verify parental responsibility for those under the relevant age.


Privacy Policies aimed at children

Where a business aims their services directly at children, they must ensure that their privacy policy is written in a clear, plain way that a child can understand.