Editor's Note:

Thomas Shaw is the author of the newly released IAPP book: DPO Handbook — Data Protection Officers Under the GDPR. 

Special events involving children are often highly sought after by children and their parents alike. Especially those that involve going through an assessment process to be selected for something as prestigious as: national science fairs, debate contests, math competitions, coding conferences or programs taught at prestigious schools and universities. It's always a proud moment to be among those who get invited. It is then very disappointing, after the child has already been chosen, to be presented with a “consent” form that the parent must sign for the child to further participate in the desired program.

These forms typically combine several different rights together when seeking a single consent. Typical are those forms asking for consent to use a child’s personal data and image, and consent to the ownership of any intellectual property generated by the child’s participation in the program. Worse, the intended processing of personal data requires that the parent agree to allow images taken of their child during the program to be permanently retained and used on social media and websites for the program’s publicity. The right to not consent along with alternative ways to participate is never provided, and the right to withdraw consent is not stated.

Based on reading these “consent” forms, they would appear to violate the Data Protection Directive and the General Data Protection Regulation, which require consent to be unambiguous, specific, informed and freely given to be valid. In these cases, consent cannot be freely given, due to the coercive nature of the form’s wording and the process of obtaining consent. As such, gathering consent in such a manner and the subsequent processing of the children’s personal data would be illegal.

The law

Consent is required to be freely given to valid. The Article 29 Working Party WP187 document states, “Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent. If the consequences of consenting undermine individuals' freedom of choice, consent would not be free.”

Futher, WP29 WP131 states that “free consent means a voluntary decision, by an individual in possession of all of his faculties, taken in the absence of coercion of any kind, be it social, financial, psychological or other. Any consent given under the threat of non-treatment or lower quality treatment in a medical situation cannot be considered as ‘free’  ... Reliance on consent should be confined to cases where the individual data subject has a genuine free choice and is subsequently able to withdraw the consent without detriment.”

Because valid consent is not possible where significant negative consequences like non-participation are present, the data controllers must find their legal basis elsewhere or provide a valid method of consent. WP187 makes it clear that if consent is initially asked for, but another legal basis is used, then “doubts could be raised as to the original use of consent as the initial legal ground: if the processing could have taken place from the beginning using this other ground, presenting the individual with a situation where he is asked to consent to the processing could be considered as misleading or inherently unfair.”

In addition, the ability to withdraw consent is required. As WP187 states, “In principle, consent can be considered to be deficient if no effective withdrawal is permitted.”

The situation of a child and their parent being forced to consent or lose the ability to participate is similar to that of an employee. As described in WP29 WP48 “where consent is required from a worker, and there is a real or potential relevant prejudice that arises from not consenting, the consent is not valid in terms of satisfying either Article 7 or Article 8 as it is not freely given. If it is not possible for the worker to refuse it is not consent.… An area of difficulty is where the giving of consent is a condition of employment. The worker is in theory able to refuse consent, but the consequence may be the loss of a job opportunity. In such circumstances consent is not freely given and is therefore not valid.

WP29 WP259 further clarifies prior guidance, noting that “The concept of consent as used in the Data Protection Directive … has evolved. The GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent.” And, “If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment. The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR.”

GDPR Recital 38 states that, “Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing.” The emotional aspects for children and their parents are described in this statement from WP187 that, “While a situation of subordination is often the main reason preventing consent to be free, other contextual elements can influence the decision of the data subject. They can have for instance a financial dimension, or an emotional or a practical dimension.”

The forms

These forms typically demand consent as a prerequisite for further participation but offer no alternative manner for a child to participate in the program if refusing to consent to having their image captured and processed online. None of the main activities of the children’s participation have anything to do with the capture of their images. The images of these children instead are not only captured but then further processed by posting on publicly available social media and websites. What happens to the images of children on the Internet when bad actors intervene is well known enough. There should always be a more granular ability to restrict the use of a child’s images to a less durable medium such as broadcast television, printed newspapers, or Snapchat-like capabilities while withholding consent to other more durable mediums such as social media, video portals, and other websites.

Parents should be able to withhold consent entirely to processing of the images of their child online, when that processing is not strictly necessary as part of the principal activity the children are involved in. Differentiation should also be made of photos of individual children or close-ups and photos of large groups of children or crowd scenes and also for labels naming the child or their school and unlabeled photos. Videos that depict any child individually should require separate consent, given the additional invasive properties of video and any audio recorded should be strictly necessary for participation in the program. The consent forms combine IP and personal data into a single consent, contrary to the GDPR requirement that they be properly unbundled. The forms also do not provide notification of the ability to withdraw consent previously granted.

So, what exactly are the DPAs doing about it? Has anyone seen a specific instance of their DPA educating controllers or starting enforcement actions based upon coerced consent of parents regarding processing of their children’s personal data? The GDPR requires in article 57(1)(b) that DPAs have as one of their tasks “Activities addressed specifically to children shall receive specific attention.” When will all DPAs across the EU start educating and investigating controllers about these widespread violations of consent to the processing of children’s personal data?