As adults, we can make informed decisions about collecting or processing our data. But what about children? At what age are they expected to be able to make their own decisions? And is this reasonable or realistic?
What is the GDPR age of consent?
Under GDPR Article 8, the age of consent, i.e. when a child is required or able to give their consent to process their data, is 16. However, member states can allocate their age of consent, with a cap at 13 years of age.
In the UK, the age of consent is 13, so the lowest age that the GDPR will allow.
Is that low enough? Or too high?
The purpose of consent is to draw a line in the sand showing from which age onwards children can provide their consent for processing their personal data.
Generally, we tend to think about children's data used for social media purposes, such as Instagram, which is aimed at those 13 or more years old and even has an online form to enable the reporting of account users who are younger than that.
How does the GDPR age of consent differ in the EU?
Many EU member countries share the same age of consent as the UK. Only one or two older, and surprisingly, some nations have no provisions.
- Austria - 14 years old
- Belgium - 13 years old
- Czech Republic - 15 years old
- Denmark - 13 years old
- Finland - 13 years old
- France - 15 years old (or younger with parental consent)
- Germany - None
- Hungary - None
- Ireland - 16 years old
- Italy - 14 years old
- Netherlands - 16 years old
- Poland - None
- Slovakia - 16 years old
- Spain - 14 years old
- Sweden - 13 years old
- United Kingdom - 13 years old
You can stay updated on each country with the handy Two Birds GDPR Tracker.
Are children unwittingly putting their online security at risk?
Despite the regulations, the UK's Children's Commissioner says that children unwittingly give away rights to their private data and put their online security at risk.
A survey undertaken by the Commissioner's Growing Up Digital taskforce revealed that nearly 50% of 8 to 11 year old's agreed to vague terms and conditions offered by social media firms.
None of the children surveyed fully understood the terms and conditions of Instagram, which is used by more than half of 12 to 15 years and 48% of 8 to 11-year-olds. Only half of these 8 to 11-year-olds can even read the terms, which run into more than 5,000 words over 17 pages of text. However, Instagram is aimed at ages 13+ and has a reporting facility for younger users.
According to Ofcom, 12 to 15 year old's spend more than 20 hours a week online, and 70% of them have a social media profile. Interestingly, Ofcom also reports that even 3 and 4-year-olds spend 8 ¼ hours a week online - that's quite a crazy thought!
As with most adults, if I want to know anything about social media, I'll ask a child in my family or circle of friends. There are no greater social media experts than children, but compliance experts can tell from these statistics that they are not.
Can we expect children to make informed choices about their personal data rights?
That said, common sense should tell us that children, even at the age of 13, cannot reasonably be expected to make informed choices about their rights relating to personal data.
The world of data protection is a minefield filled with legal and compliance professionals who can debate the topics and intricacies of such for hours on end. Yet under GDPR, we allow children as young as 13 to make decisions regarding their data protection.
The need for parental intervention
Clearly, there is still a need for parental intervention. Parents need to provide some guidance to their children at least. Interestingly enough, I am sure that the parents do so regarding financial matters, like choosing whether to provide or withhold their consent on child bank accounts and trust funds.
Similarly, it will be interesting to see in which direction financial services firms move in regarding consenting children. Whether children consent to receive marketing and promotional material or seek to restrict or withdraw consent, they are likely to lack any real understanding of the impact and consequences of such instructions.
Want to learn more about GDPR?
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
To help you navigate the compliance landscape, we have collated searchable glossaries of key terms and definitions across complex topics, including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines. And if you're looking for a compliance training solution, why not visit our GDPR Course Library?
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 70+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!