GDPR Age of Consent Isn't Child's Play

Posted by

Martin Schofield

on 09 Feb 2023


GDPR rules protect personal data. Not only does it protect adults' privacy, but it also guards children against exploitation. So what's the age of consent?

GDPR Age of Consent Isn't Child’s Play

As adults, we can make informed decisions about collecting or processing our data. But what about children? At what age are they expected to be able to make their own decisions? And is this reasonable or realistic?

What is the GDPR age of consent?

Under GDPR Article 8, the age of consent, i.e. when a child is required or able to consent to process of their data, is 16. However, member states can allocate their age of consent, with a cap of 13 years of age.

In the UK, the age of consent is 13, so the lowest age that the GDPR will allow.

Is that age of consent low enough? Or too high?

The purpose of consent is to draw a line in the sand showing from which age onward children can provide their consent for processing their personal data.

Generally, we tend to think of children's data used for social media purposes, such as Instagram, which is aimed at those 13 years of age or more. There is even an online form to enable the reporting of account users who are younger than that.

Free GDPR Self-assessment Questionnaire

How does the GDPR age of consent differ in the EU?

Many EU member countries share the same age of consent as the UK. There are a few that have an older age of consent.

  • Austria - 14 years old
  • Belgium - 13 years old
  • Bulgaria - 14 years old
  • Croatia - 16 years old
  • Czech Republic - 15 years old
  • Denmark - 13 years old
  • Estonia - 13 years old
  • Finland - 13 years old
  • France - 15 years old (or younger with parental consent)
  • Germany - 16 years old
  • Hungary - 16 years old
  • Ireland - 16 years old
  • Italy - 14 years old
  • Latvia - 13 years old
  • Malta - 13 years old
  • Netherlands - 16 years old
  • Poland - 16 years old
  • Portugal - 13 years old
  • Republic of Cyprus - 14 years old
  • Slovakia - 16 years old
  • Spain - 14 years old
  • Sweden - 13 years old
  • United Kingdom - 13 years old

Are children putting their online security at risk?

Despite the regulations, the UK's Children's Commissioner says that children unwittingly give away rights to their private data and put their online security at risk.

A survey undertaken by the Commissioner's Growing Up Digital taskforce revealed that nearly 50% of 8 to 11 year old's agreed to vague terms and conditions offered by social media firms.

None of the children surveyed fully understood the terms and conditions of Instagram, which is used by more than half of 12 to 15 years and 48% of 8 to 11-year-olds.

Only half of these 8 to 11-year-olds can even read the terms, which run into more than 5,000 words over 17 pages of text. However, Instagram is aimed at ages 13+ and has a reporting facility for younger users.

According to Ofcom, 60% of children under the age of 13 who use social media have social media accounts despite being underage.

Free GDPR Personal Data Awareness Poster

Can we expect children to make informed choices about their personal data rights?

That said, common sense should tell us that children, even at the age of 13, cannot reasonably be expected to make informed choices about their rights relating to personal data.

The world of data protection is a minefield filled with legal and compliance professionals who can debate the topics and intricacies of such for hours on end. Yet under GDPR, we allow children as young as 13 to make decisions regarding their data protection.

What is the need for parental intervention?

Clearly, there is still a need for parental intervention. Parents need to provide some guidance to their children at least. Interestingly enough, parents do intervene when it comes to financial matters, like choosing whether to provide or withhold their consent on child bank accounts and trust funds.

Similarly, it will be interesting to see in which direction financial services firms move regarding child consent. Whether children consent to receive marketing and promotional material or seek to restrict or withdraw consent, they are likely to lack any real understanding of the impact and consequences of such instructions.

GDPR Training Presentation

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.

Compliance Bulletin

Compliance Bulletin

Our monthly email provides best practices, expert opinions, industry insights, news and key trends in regulatory compliance training, digital learning, EdTech and RegTech.