What's a suitable age of consent in relation to GDPR?
The age of consent, i.e when a child is required or able to give their consent for the processing of their own personal data under GDPR, Article 8, is 16 years of age, although member states are allowed to allocate their own age of consent, provided that this does not fall below the age of 13. In the UK, the age of consent has been taken to be 13, the lowest age that the GDPR will allow.
Is that low enough? Or too high?
The purpose of consent is to draw a line in the sand showing from which age onwards children can provide their own consent for the processing of their personal data. We tend to generally think about children’s data being used for social media purposes, such as the Instagram service, which is aimed at users who are at least 13 years of age, and even has an online form to enable the reporting of account users who are younger than that.
A survey undertaken by the Commissioner’s Growing Up Digital taskforce revealed that nearly 50% of 8 to 11 year olds agreed to vague terms and conditions offered by social media firms, and that none of the children surveyed fully understood the terms and conditions of the Instagram service, which is used by more than half of 12 to 15 years and 48% of 8 to 11 year olds, with only half of these 8 to 11 year olds even being able to read the terms, which ran into more than 5,000 words over 17 pages of text. All of this, despite as mentioned above, Instagram being aimed at ages 13+ and with a reporting facility for users aged less than 13.
According to Ofcom, 3 and 4 year olds spend 8 ¼ hours a week online, 12 to 15 year olds spend more than 20 hours and 70% of them have a social media profile.
As with most adults, if I want to know anything about social media, I’ll ask a child member of my family or circle of friends, there are no greater experts in the use of social media sites than children – but experts in compliance we can tell from these statistics alone, they are not.
Having said that, even common sense should tell us that children, even at the age of 13, cannot reasonably be expected to make informed choices about their rights relating to personal data, the world of data protection is a minefield, and filled with legal and compliance professionals who can debate the topics and intricacies of such for hours on end, yet under the UK’s enactment of GDPR, we will be allowing children as young as 13 to be making their own decisions regarding their own data protection.
Clearly there is a need for parental intervention still, and for parents to at least provide guidance to their children in this topic, and interestingly enough, I am sure that the parents will do so when it comes to financial matters that these 13 year olds will be able to choose whether to provide or withhold their consent on, matters such as child bank accounts and child trust funds. Similarly, it will be interesting to see the direction in which financial services firms move when it comes to consenting children, who consent to receive marketing and promotional material, or who seek to restrict or withdraw consent, perhaps without any real understanding of the impact and consequences of such instructions.