Every day thousands of children and teenagers connect to the internet, where several websites gather their personal data, without them being aware of that. Because of this worrying phenomenon, the GDPR intervenes and set up rules in order to protect minors against companies active on the internet.
Children are the most exposed at online marketing, as some of them visit several web pages, subscribe to newsletters and web pages, provide sensible data such as phone numbers and even bank account numbers. Once the said companies have gathered those sensible data, it is quite easy for them to use the data, send email or SMS notifications and ask for a contribution in cash. Some gaming apps for instance requires a payment from the player in order for them to be able to continue using the game, regardless of the players age. Minors are the first victims of these aggressive marketing strategies.
According to recital 38 of the GDPR : « children require a specific protection when it comes to their personal data, as they might not be aware of the risks, the consequences and the guaranties and their rights linked to the processing of personal data ».
In order to protect minors against the hazards that might arise from sharing personal data, the GDPR further provides that : « the processing of a children’s personal data is licit, provided that the child is at least 16 years old. If the children is underneath that age, e.g.16, the data processing is lawful only if the consent to process with personal data has been granted by the holder of parental responsibility with regard to the child ». (Article 8 GDPR).
The age is set up to 16 years old by the GDPR, however the latter leaves it to the Member States to determine on their own, the age at which point a minor does not require parental responsibility, provided that the age is neither under 13 nor above 16. France for instance decided that a 15 years old aged minor (and above)was capable of enough discernment for not needing parental consent anymore. In Luxembourg this age has been set up to 16 years old.
Following the change of paradigm it is up to the professionals of the information companies to ensure that a consent of the minors and their legal representant has been granted « given the available technological tools » (article 8-2 GDPR). But it is not an easy task, the access to porn sites is a good example. It is in deed very easy for users of all age to access such websites without any further issues, as no control takes place with regard to the ages of the user of those websites. Sensitive data such as the IP address of their computer or smartphone may then be collected and processed without the minor taken notice.
By what means the data controllers may solve this issue in order not to go against the respect for privacy and the right to personal data protection ? The request of an id card, a credit card number or a phone number are suitable solutions in order to check the users age, even though this kind of monitoring includes the gathering of sensible data that might worry the users as for the processing of personal data.
What are the minors means of response ? Article 17 of the GDPR relating to the right of erasure (« right to oblivion ») provides that « The person who might be concerned has the right to obtain from the data controller the deletion, at the earliest opportunity, of personal data concerning himself and the data controller is under obligation to erase the personal data at the earliest opportunity ».
The GDPR prescribes severe penalties in case of violation of the aforesaid provisions. In that respect, the data controller exposes himself to penalties who might amount to 20 million euros or to 4% of the total worldwide annual sales revenue of the previous year.
For example, about 500,000 customers of British Airways have been victim of hacking and misuse of their personal data in October 2018, including for some of them sensible data such as credit card details.
The ICO, the British equivalent to the « Commission Nationale de Protection des Données CNPD » has the intention to sanction the company up to 201,6 million euros, more or less 1,5% of the sales revenue of IAG in 2017, the parent company of British airways.
In conclusion, the GDPR has planed all required legal dispositions in order to protect the minors personal data. However, the role of the parent is still of major importance when it comes to the protection of children’s personal data, as their consent is essential for the lawfulness of the proceeding of personal data linked to a child. Parents are the ones who might warn minors against the hazards of an online overexposure and limit the access to online websites through parental control.