How to be GDPR-compliant when providing services to children?


This article is written in collaboration with a law agency. However, it is intended for general information purposes only. It does not constitute a client-attorney relationship or personalized legal advice.

GDPR Art. 8 sets specific requirements for obtaining valid consent for offering services to a children (more specifically, information society services). Luckily, if your service is not directly offered to (or meant for) children, you don’t have to worry about this. However, we advise you to state the fact that you do not offer services to children and do not intend to gather their personal data. Your privacy policy is a good place to do that and the template provided by the WordPress GDPR Framework already covers this.

But what if I you do offer services to children?

First of all, if you take a look at Art. 8, you’ll see that this chapter is titled: “Conditions applicable to child’s consent in relation to information society services.” 

Let’s talk about the meaning of information society services. The term covers services that are offered from distance (i.e. parties are not simultaneously present) by electronic means (i.e. via internet) at the individual request of customer/user. Examples of information society services are: online search engines; social networks; streaming services etc.

Note that when offering information society services to a children, Art. 8 applies only if the grounds for processing is specifically consent. If you have other grounds to process children’s data, Art. 8 is not applicable.

So, assuming that you are offering information society services to children and doing processing on the grounds of consent, here’s what you need to do.

To have a valid consent for offering information society services to a child you first have to make sure what is the age from where the child can give direct consent and when you need to obtain consent from the holder of parental responsibility (the parent, mostly). Depending on your country, the age varies from 13 to 16 years. (Please note that art 8 does not affect the general contract law terms of EU Member States).

Art. 8(2) states that you must make reasonable efforts to verify the age of the child and to verify the consent given by the holder of parental responsibility. You are expected to be able to demonstrate the obtainment of valid consent. The general opinion of EU Commission is that just tick-the-box solutions for age verification are not considered to be sufficient (however, this would still better than nothing). A double-opt-in procedure is advisable. As an example of double-opt-in:

  • Ask the age of the child (or the date of birth). If it is under the age limit for direct consent in your country, ask for the email address of the parental responsibility holder.
  • Ask the holder of parental responsibility for their consent via a hyperlink sent via email.

This is not an industry standard or best practice, but legally it’s the best solution we can currently recommend. Sign up to our newsletter and we’ll keep you posted of developments in this area.

Also note that asking consent under Art. 8 should be extra clear and simple – it has to be understandable to a child!

Maarja Lehemets

Lawyer @ Triniti