Skip to main content

Explore Spark

Explore the scalable platform that can be learned by anyone in 45 mins, and up and running in as little as one day.

Learn more

We’re hiring!

We have exciting new roles available. Join our growing team and begin an unforgettable journey.

Learn more

Looking for something?

Home / Resources / Child Interests Under GDPR

Child Interests Under GDPR


By now you should understand what the GDPR is, the six principles that will affect your business, what you can rely on when processing personal data, and how it will impact your future marketing communications.

Under the current Data Protection Act there are no specific provisions for the protection of data in relation to a child. The GDPR intends to outline and enhance the protection of a significant proportion of online users (1 in 3 in fact: Source - Livingstone, S., Carr, J. and Byrne, J. (2015) One in three: internet governance and children's rights (PDF). Ontario: Centre for International Governance Innovation.) who are classed as children and therefore potentially vulnerable to the risks associated with marketing and creating online profiles. The aim of these provisions being to protect the child as a person.

In Article 8, the GDPR introduces specific protections for children by limiting their ability to consent to data processing without parental authorisation. The age of consent will vary between 13 and 16 across EU Member states. As a controller, you will need to obtain the consent of a parent or guardian, whilst making “reasonable efforts” to verify that they are in effect who they say they are. Although it is worth noting that the methods for such verification have yet to be developed.

Whilst there is a definitive process you can follow if you require consent to process a child’s personal data, any reliance on “legitimate interests” necessitates a carefully crafted document showing all the elements you can use to justify how your organisations interests outweigh those of the child. Article 6(1)(f) of the GDPR notes that the rights and freedoms of a data subject may “in particular” override the interests of the controller or third party where the relevant data subject is a child. 

Top Tip: A child will attain control over their own personal data once they come of age. The will have the right to rectify, amend, delete etc and revoke control by others. 

The GDPR mostly focuses on child data in relation to online services (information society services) which provide a service at the user’s request, sometimes for remuneration. Parental/guardian consent is not required where the processing is related to preventative or counselling services offered directly to a child.

Top Tip: Remain aware of national legislation for offline data processing relating to children’s data. 

Article 40 requires Member States and supervisory authorities to encourage the creation of codes of conduct, including in the area of the protection of children, and concerning the ways in which consent can be collected from the holder of relevant parental responsibility. 

Top Tip: Organisations that process personal data relating to children should watch for the creation of codes of conduct by member states, which might impose particular additional requirements.

Are you aware that Sponge also offer GDPR compliance training for your employees? 


Privacy notices for children

Where services are offered directly to a child, you must ensure that your privacy notice is written in a clear, plain way that a child will understand.

If your basis for processing a child’s personal data is consent, according to your member state age limit, a child under that age instead requires consent from a person holding ‘parental responsibility’.

Top Tip: Solely automated profiling is forbidden on a child’s personal data

If you or your organisation is processing the personal data of children, there are extra measures and thought-processes that need to be completed. We recommend you ask yourself questions such as the following:

  • Am I obtaining data from anyone under the age of 18?
  • Do I require all the information I am collecting?
  • Do I have consent from either the child, if they are over 13, or the person with parental responsibility?
  • Am I relying on legitimate interest?
  • Do I have a document outlining why I don’t require specific consent?
  • Do I have a privacy policy written not only in plain English, but in language a child will understand?
  • Do I have a retention policy?
  • Do I know who has access to children’s personal data?

If you have any questions about the points I've raised, or want a more in-depth chat about all things GDPR, please get in touch via the form below.