As adults, we can make informed decisions about collecting or processing our data. But what about children? At what age are they expected to be able to make their own decisions? And is this reasonable or realistic?
What is the GDPR age of consent?
Under GDPR Article 8, the age of consent, i.e. when a child is required or able to consent to the processing of their data, is 16. However, member states can allocate their age of consent, with a cap of 13 years of age.
In the UK, the age of consent is 13, so the lowest age that the GDPR will allow.
Is that age of consent low enough? Or too high?
The purpose of consent is to draw a line in the sand showing from which age onward children can provide their consent for processing their personal data.
Generally, we tend to think of children's data used for social media purposes, such as Instagram, which is aimed at those 13 years of age or older. There is even an online form to enable the reporting of account users who are younger than that.
How does the GDPR age of consent differ in the EU?
Many EU member countries share the same age of consent as the UK. There are a few that have an older age of consent.
- Austria - 14 years old
- Belgium - 13 years old
- Bulgaria - 14 years old
- Croatia - 16 years old
- Czech Republic - 15 years old
- Denmark - 13 years old
- Estonia - 13 years old
- Finland - 13 years old
- France - 15 years old (or younger with parental consent)
- Germany - 16 years old
- Hungary - 16 years old
- Ireland - 16 years old
- Italy - 14 years old
- Latvia - 13 years old
- Malta - 13 years old (and 16 years old for processing personal data)
- Netherlands - 16 years old
- Poland - 16 years old
- Portugal - 13 years old
- Republic of Cyprus - 14 years old
- Slovakia - 16 years old
- Slovenia - 15 years old
- Spain - 14 years old
- Sweden - 13 years old
- United Kingdom - 13 years old
Are children putting their online security at risk?
Despite the regulations, the UK's Children's Commissioner says that children unwittingly give away rights to their private data and put their online security at risk.
A digital childhoods survey undertaken by the Children's Commissioner revealed that between 36%-79% of users aged 8-17 are under the minimum age in the terms of service on social media platforms.
Nearly half of children aged between the ages of 8 and 17 have seen inappropriate content. To make matters worse, many children don't report seeing harmful content, with older children and girls being less likely to report this type of content. Of those who do report, 25% see no action on their reports.
According to Ofcom has found that 60% of children under the age of 13 who use social media have social media accounts despite being underage. The NSPCC report reveals that about 1 in 20 children have encountered sexual risks online.
Do children make informed choices on their rights?
Common sense should tell us that children, even at the age of 13, cannot reasonably be expected to make informed choices about their personal data rights.
The world of data protection is a minefield filled with legal and compliance professionals who can debate the topics and intricacies of such for hours on end. Yet under GDPR, we allow children as young as 13 to make decisions regarding their data protection.
Is there a need for parental intervention?
Clearly, there is still a need for parental intervention. Parents need to provide some guidance to their children at least. Interestingly enough, parents do intervene when it comes to financial matters, like choosing whether to provide or withhold their consent on child bank accounts and trust funds.
Similarly, it will be interesting to see in which direction financial services firms move regarding child consent. Whether children consent to receive marketing and promotional material or seek to restrict or withdraw consent, they are likely to lack any real understanding of the impact and consequences of such instructions.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.