top of page

Kids-Proof Privacy: Navigating GDPR with Giggles and Guardrails


GDPR and Kids

Are children subjects of GDPR? Let’s explore this question together!


GDPR aims to provide robust protection for kids personal data, with strict requirements around consent, transparency, and data protection measures. Companies must carefully consider the unique vulnerabilities of children when processing their information.


  1. If the child is at least 16 years old, processing of their personal data is lawful if they give consent themselves.

  2. If the child is under 16, processing is only lawful if consent is given or authorized by the holder of parental responsibility over the child.


EU member states can lower the age of consent to as young as 13, here is a list of the exceptions:

  • Belgium, Denmark, Estonia, Finland, Latvia, Malta, and Portugal: The age of consent is lowered to 13 years.

  • Austria, Italy and Spain: The age of consent is 14 years.

  • Czech Republic: The age is set at 15 years.

  • France: The age of consent is set at 15 years. Children aged 15 and older can provide their own consent for data processing, while those younger require parental consent.


Beyond the age of consent, the GDPR requires additional protections when processing children's personal data:

  • Privacy notices must be written in clear, plain language that a child can understand.

  • The right to erasure is particularly relevant when the child has given consent and later wants their data removed.

  • Companies must make reasonable efforts to verify that consent is given by the child's parent or guardian, such as through age verification measures.

  • The best interests of the child must be a primary consideration in data processing decisions.

  • Data protection by design and default principles should incorporate child-friendly safeguards from the outset.

  • Data protection impact assessments are recommended to assess and mitigate risks to children's data


There have been significant GDPR fines related to the mishandling of children's personal data. Here are 2 notable cases both from the Irish Data Protection Commission (DPC)

  • TikTok: In 2023, TikTok was fined €345 million for failing to adequately protect children's personal data. The investigation revealed that TikTok had set children's accounts to public by default, allowing their videos to be viewed by anyone, which violated GDPR principles concerning the protection of minors' data.

  • Instagram: In 2022, Instagram was fined €405 million for breaches related to the handling of children's data. Instagram allowed teenage users to use "business accounts," which exposed their email addresses and phone numbers, and set all accounts to public by default, failing to comply with privacy by design principles.


At Synchromind we are very passionate about Kids' online safety. That is why we have created a game, Hive Five where they can learn how to maintain their privacy and its rights in the digital world.


Stay Safe! Play Smart!

5 views0 comments

Comments


bottom of page