How do the laws in your jurisdiction address children’s PII?

Data Protection & Cyber Security

Russia Small Flag Russia

Russian data protection laws do not set out any specific rules with regard to processing of children’s PII.

As per Russian laws, children (i.e. those under the age of 18) exercise their rights and protect their interests through their parents (other legal representatives). Thus, strictly speaking, where children’s PII is processed and this requires consent, such consent should be requested from parents (other legal representatives).

However, in certain cases starting from 14 children may act more or less independently, e.g. to make some small-scale transactions on their own, etc. Thus, where children’s PII is processed in the context of such transactions, consent of the parent/ legal representative is not needed. However, in practice there is no unified approach to the notion of small-scale transaction and age threshold requiring parental consent to data processing.

Currently Russian Parliament is considering a draft bill on processing of children’s PII. Under this draft bill, processing of such data will be significantly restricted and will only be allowed based on parental consent (with exceptions only for children who started employment activity).

Argentina Small Flag Argentina

The general principles regarding minors are contained in the Argentine Civil and Commercial Code. The Code provides that individuals under the age of 18 are minors, and establishes the general rule that minors exercise their rights through their legal representatives (parents or guardians).

Since there are no specific provisions in the Data Protection Law or any other privacy regulations, this general principle described above applies to data protection. Under the Data Protection Law, the processing of personal data must be specifically consented to by the data subject. If the data subject is a minor, the consent of his or her parent or guardian will be necessary for any data processing.

Brazil Small Flag Brazil

According to the Child and Adolescent Statute, children and adolescents have a peculiar condition of being in development. In this sense, the LGPD gives them stricter data protection rules and determines that processing of personal data belonging to children and adolescents shall be done in their best interest, pursuant to the rules below and applicable legislation.

Accordingly, the LGPD set forth the following rules to process children’s and adolescents’ personal data:

  • The processing of children’s and adolescents’ personal data requires a specific and highlighted consent of at least one of the parents or by the legal guardian;
  • When processing data based on consent, controllers shall keep public the information on the types of data collected, the way it is used and the procedures for exercising the rights established in the LGPD;
  • Children’s and adolescents’ personal data may be collected without consent when it is necessary to contact the parents or legal guardian, used only once and without storage, or for the children’s protection. Under no circumstances shall the data be transferred to third parties without the proper consent;
  • Data controllers shall not condition the participation of data subjects in games, internet applications or other activities to the provision of personal information beyond what is strictly necessary for the activity;
  • The controller shall make all reasonable efforts to verify that the person responsible for the child or adolescent has given the consent, considering the available technologies;
  • Information on the processing of children’s and adolescents’ data shall be provided in a simple, clear and accessible manner, taking into account the physical-motor, perceptual, sensory, intellectual and mental characteristics of the user, with the use of audiovisual resources when appropriate, in order to provide the necessary information to the parents or legal guardian and appropriate to the understanding of the child.

Bulgaria Small Flag Bulgaria

Personal data of children are being treated as any other personal personal data in accordance with the requirements of the GDPR. However, a special attention should be paid whenever such personal data are prosessed since childred are more vulnerable data subjects and this affects the risks related to such processing.

As for the requirement under Article 25c PDPA to obtain a parent or guardian exercising parental rights whenever for processing the personal data of a minor under the age of 14 based on consent, please refer to Question 5.

Switzerland Small Flag Switzerland

There is no specific provision for children’s personal data in the FADP. As a consequence, children’s personal data are dealt with in the same way as other personal data.

However, Swiss entities usually mention that children under the age of 18 (or sometimes 16) are not permitted to submit any personal data without the consent of their parents.

Finally, in the case that consent is required for a specific data processing activity, the Swiss Civil Code governs whether and on how children may provide such a consent (see art. 11 et seq. Swiss Civil Code).

Spain Small Flag Spain

Although the GDPR states in its recital 38 the necessity to implement specific protection rules with regard to children personal data, it only regulates child's consent in relation to information society services, establishing the minimum age of 16 years for a minor to be able to give a valid consent. Member States may provide for a lower age as long as it is not lower than 13 years old.

The Spanish LOPD has set the minimum age at 14. The data processing of minors under fourteen years of age based on consent will only be lawful if the holder of parental authority or guardianship gives his/her consent for this processing. They will also be able to exercise in the name and representation of the minors the rights of access, rectification, cancellation, opposition or any other that could correspond to them.

Chile Small Flag Chile

At present, there are no provisions concerning the processing of personal data of minors. Accordingly, general rules shall apply. It shall be necessary to comply with the provisions contained in the Data Privacy Act, especially, those regarding the consent/authorization of the individual/subject, the finality principle and report on the probable public communication of data. Since the subject of data is a minor shall require authorization of the parents or custodian.

Germany Small Flag Germany

Art. 8 GDPR specifies the conditions to a child’s consent in relation to information society services, which are defined as ‘any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service’. Such services are especially online shops, streaming services and communication networks.

The processing of the personal data of a child according to Art. 8 GDPR shall generally be lawful when the child is at least 16 years old. If the data subject is younger than 16 years old, processing shall be lawful only if consent is given or authorized by the holder of parental responsibility over the child.

The member states may lower the age by national law if the age is no lower than 13 years. Consequently, the minimum age can differ between member states. Germany did not enact a law that changes the minimum age so that from the age of 16 the child’s own consent is assumed to suffice.

The controller shall make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility over the child. Controllers must take available technology into consideration.

A proven method to verify consent is using a double opt in process, where both the child and one parent must opt in. The company’s effort on checking consent must be increased regarding the processing of sensitive data.

India Small Flag India

Privacy Rules

The Privacy Rules do not contain specific provision for protection of PII or sensitive PII of children.

Privacy Bill

These concepts have been proposed under the Privacy Bill, such as: -

(a) requiring data fiduciaries to process PD of children28 in a manner that protects and advances their rights and best interests;

(b) requiring data fiduciaries to incorporate appropriate mechanisms for age verification29 and parental control; and

(c) notification of certain data fiduciaries as 'guardian data fiduciaries'.30

Other Legislations

There are other legislations which protect PII or sensitive PII of children and its usage, such as: -

(a) Indian Penal Code, 1860 – prohibits printing or publishing of the name or other details which may make known the identity of a minor,31 where such minor has been a victim of certain prescribed offences (such as rape, sexual intercourse by a person in authority etc.).

(b) Juvenile Justice (Care and Protection of Children) Act, 2015 – prohibits disclosure of name, address, school or other particulars which may lead to identification of a child32 in need of care or protection, a victim or witness of crime etc.

28 - The term "child" has been defined under the Privacy Bill as a data principal below the age of 18 years.

29 - Appropriateness of age verification mechanisms will be determined on the basis of – volume of PD processed, proportion of such PD likely to be that of children, possibility of harm to children etc. The Authority may prescribe further factors to be considered in this regard.

30 - The Authority may notify the following the following as guardian data fiduciaries – data fiduciaries who operate commercial websites or online services directed at children, or data fiduciaries who process large volume of PD of children. The Privacy Bill prohibits guardian data fiduciaries from carrying out certain activities, namely, profiling, tracking, behavioral monitoring, targeted advertising at children or undertaking any other processing that may cause harm to children.

31 - As per the Indian Majority Act, 1875, broadly, a person is considered to be a minor until such person has attained the age of 18 years.

32 - The term "child" has been defined under this statute to mean a person below 18 years of age.

China Small Flag China

Personal information of person aged 14 or under are child’s personal information and is classified into personal sensitive information.16 Before collecting personal information of minors17 aged 14 or older, it shall seek explicit consent from the minors or their guardians; where the minors are aged under 14, it shall seek explicit consent from their guardians.18

16 - PI Specification. 3.2.
17 - Eighteen is the age of majority in China.
18 - PI Specification. 5.5 c).

Indonesia Small Flag Indonesia

MCI Regulation 20/2016 stipulates that a minor or child are not able to provide consent for their own Personal Data. In the event that Data Subject is a minor, consent can only be provided by the parents or official guardian of the child.

Portugal Small Flag Portugal

As foreseen in article 8 of the GDPR, where the child is below the age of 16 years and the processing of PII is related to the offer of information society services directly to him/her (except preventing or counselling services pursuant Recital 38) and is based on consent, the controller must seek consent from the holder of parental responsibility over the child.

The Portuguese Data Protection Law may establish a lower age (up to 13 years).

Furthermore, increased attention should be paid for the information to be provided to children in order to ensure it is intelligible and clear for them.

United Kingdom Small Flag United Kingdom

Children need particular protection when their personal data is being collected and processed as they may be less aware of the risks involved or their rights. A controller will need to assess the safeguards that they will need to put in place to make sure that the processing is fair and that a lawful basis is met. For example where consent is the lawful basis for processing the child's parent or guardian will need to be contacted to consent to the processing. A controller should keep under review age verification and parental responsibility mechanisms to ensure that it is using the most appropriate mechanisms to reduce the risks.

In relation to the offer of online services directly to a child (information society services), if the data subject is a child of at least 13 years old and they have given consent to the processing of his/her personal data, the processing will be lawful. Where the child is below 13 years old, such processing shall be lawful only if consent is given or authorised by the holder of parental responsibility over the child. This will not apply if the information society services offered to the child are preventative or counselling services.

The controller must make reasonable efforts to verify that consent is given or authorised.

Any information and communication where processing is addressed to a child, should be in clear and in plain language that the child can easily understand. Children have the same rights as adults in relation to the processing of their data and the right to erasure of data is particularly relevant if they gave their consent to the processing when they were a child.

An issue may arise because a different age will apply in different countries, so businesses with a European reach will have to know the location of the child to ensure the right rules can be applied.

Sweden Small Flag Sweden

The only explicit difference that is made between processing of personal data related to children and adults in data protection legislation concerns age of consent in relation to information society services (chapter 2, paragraph 4 of the Data Protection Act). More specifically that when a controller offer an information society service to children and processes their personal data on the basis of consent, only children aged 13 or over are able to provide their own consent (unless the online service is a preventive or counselling service). For children under the age of 13 consent must instead be obtained from whoever holds parental responsibility for the child.

Moreover, the Swedish Data Protection Authority has expressed that although there are no other explicit age of consent than the above mentioned, a controller must always ensure that the child understands what it is it consents to in order for the consent to be valid. The Swedish Data Protection Authority has therefore recommended that a controller always should obtain consent from whoever holds parental responsibility if the child is under the age of 13 and should assess on a case-by-case basis if a child between the age of 13 and 16 can give a valid consent. Children over the age of 16 should however usually be able to give a valid consent.

Greece Small Flag Greece

Law 2472/1997 on data processing does not explicitly address children’s data protection.

With regards to the conditions applying on child’s consent in relation to information society services, the threshold of sixteen (16) years old introduced by the GDPR is in force in Greece. More specifically, consent of a child above sixteen (16) is deemed valid, whereas below sixteen (16) years old, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. It should be highlighted that the Greek draft law -which once finalized and published will repeal and replace the existing national framework- in its publicly available version lowers the age of valid digital consent to fifteen (15) years old. According to the GDPR, Member States may provide by law for a lower age for those purposes provided that such lower age is not below thirteen (13) years.

Moreover, the HDPA in line with the interpretation provided so far by WP 29 as also approved by the European Data Protection Board, further underlines that in cases of a child’s consent, the language addressed to data subjects should be simple, explicit and understandable. Furthermore, under the light of the GDPR’s Preamble and the Guidelines, automated decision-making, including profiling having legal effects on children or significantly affecting them is prohibited, although certain exceptions are allowed when appropriate safeguards have been put in place. Additionally, children’s vulnerability should not be taken into advantage and children should always benefit from the absolute right to object to profiling for purposes of commercial promotion.

Turkey Small Flag Turkey

There are no provisions within the local data protection legislation specifically addressing the processing of personal data relating to children.

Austria Small Flag Austria

In Austria, children can consent to the processing of their personal data relating to the so-called "information society services" (e.g. social media platforms) once they reach the age of 14. Below this age limit, consent of the legal representative (parents) of the child or the consent of the child together with the consent of the legal representative is required. The controller must ensure that consent has been given by or together with the consent of the holder of parental responsibility for the child. The legal situation for data processing not related to information society services has not yet been finally clarified.

France Small Flag France

Children need particular protection when their personal data is being collected and processed as they may be less aware of the risks involved or their rights. A controller will need to assess the safeguards that they will need to put in place to make sure that the processing is fair and that a lawful basis is met. For example where consent is the lawful basis for processing the child's parent or guardian will need to be contacted to consent to the processing. A controller should keep under review age verification and parental responsibility mechanisms to ensure that it is using the most appropriate mechanisms to reduce the risks.

In relation to the offer of online services directly to a child (information society services), if the data subject is a child of at least 15 years old and they have given consent to the processing of his/her personal data, the processing will be lawful. Where the child is below 15 years old, such processing shall only be lawful if consent is given by both the child and the holders of parental responsibility over the child (Data Protection Act of 1978, Article 45). The controller shall make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

Any information and communication where processing is addressed to a child, should be in clear and in plain language that the child can easily understand. Children have the same rights as adults in relation to the processing of their data and the right to erasure of data is particularly relevant if they gave their consent to the processing when they were a child.

An issue may arise because a different age will apply in different countries, so businesses with a European reach will have to know the location of the child to ensure the right rules can be applied.

United States Small Flag United States

At the federal level, COPPA governs the collection, use and disclosure of personal information collected from children under the age of 13 by operators of websites and other online services. COPPA is enforced by the FTC, which takes a broad view of COPPA’s scope, applying it to many different types of online services (including video games, websites and connected toys) and operators (including third-party contractors, advertisers and others who passively collect children’s personal information). COPPA requires transparent and accessible privacy policies; heightened security practices to safeguard children’s personal information; and verifiable parental consent before collection, use or disclosure of children’s personal information, with narrow exceptions, including for internal operational purposes, one-time responses and email verification. COPPA also places limits on the use of personal information collected online from children for direct marketing purposes.

In addition, FERPA governs how schools collect, use and disclose information from students’ educational records, including information collected about children or minors. FERPA sets forth certain rights and restrictions concerning the disclosure of students’ educational information – which generally requires written consent – and how parents and students may access, revise or delete student educational information.

A handful of states have implemented privacy laws that specifically address the collection and use of children’s, students’ or minors’ personal information. For example, California’s Privacy Rights for California Minors in the Digital World law allows California residents under the age of 18 to delete publicly available personal information they have submitted online. Michigan and Utah have Child Protection Registry Acts. And several states have laws governing schools’ and third-party contractors’ collection, use, disclosure and sale of educational information. In addition, when the CCPA takes effect in January 2020, businesses may not sell PI of California residents under the age of 16 without their or, in the case of children under 13, their parent’s opt-in consent.

Updated: May 16, 2019