Article 8

Conditions Applicable to Child’s Consent in Relation to Information Society Services

Overview:

Article 8 of GDPR outlines the conditions for obtaining consent from children while providing information society services. The information society services include social networks, gaming sites, and other web site services. While processing the personal data under the age of 16, the data controller shall obtain the consent from the parent/guardian or the individual who holds the parental responsibility of the child. The article further mentions that the member states can reduce the age up to 13.

Implementation Guidance

  1. Implement age verification mechanism to validate whether the user is a child as per the age set forth by the member state. Consider implementing additional controls that may include but not limited to  validating using Date of Birth provided by the user, obtaining approval email from parent/guardian
  2. Communicate clearly to the parent or child on the purpose of processing, how the data is used, sharing with third-party with absolute clarity before obtaining the consent
  3. Implement parental consent mechanism for obtaining the consent if the user is below the specified age. 
  4. Implement additional mechanisms to verify the consent like asking for a valid ID or any other details as approved by the law of the land.
  5. Ensure that you have a mechanism implemented for easy  withdrawal of consent from children/parents.
  6. Maintain a record of all these transactions
  7. Review and update the consent mechanism regularly in accordance with the requirements of GDPR.
  8. Demonstrate these mechanism when required

Additional controls to consider:

Implement logging and alerting mechanisms so that parents are informed in case of any anomalies.

Implement parental control features if your nature of business demands. 

Compliance Checklist

  1. Privacy Policy
  2. Privacy Notice
  3. Policies and procedures on the consent mechanism
  4. Records of consent ( eg: data and time, details provided for obtaining consent)
  5. Data processing Agreement with third-parties with provision of obtaining and managing consent in accordance with GDPR
  6. Periodic Audits

Examples and Use Cases

  1. A social media website asks for parental constant for users under the age of 16. The parent/guardian receives a link for the approval in an email. The subscriber can use the service only after receiving the consent form of the parent/guardian.
  2. An online movie streaming website implements parental control features so that the parents can monitor their online activities.

Legal text

[Add legal text here]

Additional Resources

[Add links to additional resources here]

Scroll to Top