TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Will GDPR Move Age of Consent to 16? Related reading: More of GDPR Comes Into Focus: Fines, DPOs and Breaches




In the United States, since the passage of the Children’s Online Privacy Protection Act (COPPA) in 1998 and the Federal Trade Commission’s (FTC) subsequent COPPA Rule in 2000, there have been specific rules regarding the collection of data from children under 13.

Namely, you can’t do it unless you obtain “verifiable parental consent,” with certain limited exceptions. Recently, you may have heard the FTC will now accept “selfies” as a method of parental consent, for example.

It was no surprise, then, when the European Commission released its first draft of the General Data Protection Regulation in 2012, to see language similarly protecting children under the age of 13. The current Directive has no specific protections for children.

In Article 8 of the original draft, the Commission proposed, “in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.”

There’s also language saying the Commission reserves the right to figure out what “reasonable” might mean and what specific methods of obtaining consent would be appropriate. In many ways, it’s similar to COPPA.

However, in the most recent draft of the GDPR, released by the European Council and obtained by Statewatch, the language is changed, most notably raising the age to 16:

“Where Article 6 (1)(a) applies, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 16 years shall only be lawful if and to the extent that such consent is given or authorised by the holder of parental responsibility over the child.”

This would be a significant departure from the likes of COPPA, and may take many of those offering services to teenagers by surprise.

Already the gaming industry, advertising industry and others had been preparing their members for the switch to the 13-year threshold. Raising the bar to 16 may be perceived as another matter entirely.

The Advertising Education Forum, for example, released an educational document in 2013 outlining the impact of the creation of an age limit where parental consent would be needed. In its policy recommendations to lawmakers, the document asserts, “Children should be defined as under 13, according to international and EU best practice.”

Similarly, an article in Games Industry from January of this year noted, “This will bring the EU's data protection regime more closely in line with the US's Children's Online Privacy Protection Act of 1998 which places similar requirements on any company that wishes to process any personal information relating to a child under the age of 13 years.”

As the trilogue negotiations are opaque, it’s unclear why this change would be made by the Council or who is particularly in favor of it. The Parliament’s draft has never wavered from the age of 13 and Article 8 is one of the few pieces of the GDPR where the Parliament’s draft is relatively unchanged from the original Commission proposal.

The Parliament added two significant pieces: First, a requirement that information provided to children and their guardians regarding consent be in plain language; second that the European Data Protection Board, and not the Commission, be entrusted with issuing best practices and guidelines for obtaining and verifying consent.

Up till now, no one has mentioned raising the age to 16.

“One area where Europe has previously lagged behind the U.S. is in the protection of children's data and this new rule will have significant implications,” noted Nicola Regan, CIPP/E, senior partner with the Privacy Partnership and a former policy analyst for the Information Commissioner’s Office in the UK. “A parental consent requirement for the processing of under 16's data will have huge implications on the use of social media by children. Younger European teenagers may miss out on services if companies think the burden of obtaining parental consent is too great. Instead they may opt to designate such services as only for those 'over 16.'”

This has some children’s advocates already weighing in. Janice Richardson, former coordinator of the European Safer Internet Network, and now expert to the ITU and the Council of Europe, has published an open letter strenuously objecting to the change. She notes that moving the age to 16, when the international standard has been 13 and many children between 13 and 15 have already been using many Internet services frequently, will likely only incentivize children to lie about their age, bar them from accessing information and services that are their fundamental human rights and possibly keep them from seeking support services if they are amongst vulnerable communities like those who are being abused or are LGBTQ.

“Online services have provided children with a safe place to explore and learn and indeed, according to renowned researcher Dr. David Finkelhor, appear to have had a significantly positive impact on many aspects of safety and behaviour,” she writes in the letter, which is co-signed by SOS il Telefono Azzurro of Italy, the UK’s Family Online Safety Institute and Diana Award organization, and Cyberhus of Denmark.

Hogan Lovells' Eduardo Ustaran, CIPP/E, didn't mince words on the topic. 

"My view is that requiring parental consent for the use of digital services of under 16s is probably the most unrealistic legal requirement I have come across in my career," he said. "Clearly whoever came up with that requirement does not have teenage kids. The obvious implication is that all such services will rely on different legal bases for the collection and use of young users' data." 

But, by contrast, Caroline Olstedt Carlström, chief counsel of global privacy at Sweden's Klarna, said she doesn't see such a change making a big impact.

"In Sweden and under the present regime [the directive], it's considered by the DPA that as a general rule children below 15 years of age would normally not be able to fully comprehend what the data processing activities may entail, hence, parental consent would be required (of course, in specific cases there might be exceptions)," she wrote in an email. "Furthermore, it's also a general legal requirement that children under 16 may not enter into a valid legal agreement without parental consent."

Given that, she continued, "I fail to see that this change would have a huge impact on the local market, local product offerings, etc. (very much a different view of course for US services now becoming in scope due to different territorial application). Based on the increased focus on children's online rights and needs over the last years, I find this to be a quite natural adaptation in line with the general views. Of course, it also remains to figure out effective ways of doing this and what parental authorization might entail in practice if this change makes it into the final text."

Currently, the generally held belief is that the GDPR negotiations will wrap up with a final trilogue meeting on December 15. Will this issue come up as a major negotiation point? Is the Parliament of the same mind that the age of consent should be raised to 16? Is this change in the Council draft something they’re trying to use for negotiating leverage to get some other point changed in the Parliament draft? Or is it a typo?

The latter seems unlikely, but those in the privacy community will have to wait and see.


If you want to comment on this post, you need to login.

  • comment John Berard • Dec 11, 2015
    Arguing the value of online services for the under 16 set, as Finkelhor did, “Online services have provided children with a safe place to explore and learn," makes the opposite true, too.  Online services can be dangerous and ignorant places.  The trick is to know when it is OK to assume one knows the difference.  That is the right age to set.
  • comment Jeffrey Chester • Dec 14, 2015
    Protecting adolescent privacy is important, and this article and the commenters fail to address how Facebook and other companies see teens as a lucrative market to monetize.  The IAPP and its supporters don't seriously address the privacy issues here--which illustrates why privacy advocates see IAPP more as defending the interests of industry to gather data than protecting it.  You should at least try for a more balanced approach on this issue, including discussing the calls by my NGO and many others on the need to better ensure teens control their data.
  • comment Sam • Dec 14, 2015
    Hi Jeff - I have been following the GDPR debate closely and have never seen anyone call for a raise of the age from 13 to 16. That's the news, as far as I'm concerned, so I focused on what the impact would be and what the reaction is. I did not find anyone celebrating the change - I published the comments I received from a pretty balanced selection of people: a former regulator, an external counsel, an internal privacy pro, and a children's advocate. 
    If you have comments on this proposal that are substantively different from the comments I found online and solicited, please pass them along. I can't tell from your comment: You think raising the age to 16 would be a good thing and you are advocating for this to be part of the final text? Would that "better ensure teens control their data"? That seems like a different issue altogether.
  • comment Gregory Kudasz • Dec 15, 2015
    That's a provocative headline, Sam.
    Aren't any of the EU Nations state signatories of the  Convention on the Rights of the Child? COPPA and laws like it are already in violation of articles (starting with 13). Parental consent disturbs and chills a child's right of self-expression, speech and ability to read what they wish. Government must have a compelling interest before curtailing any  rights. Since none appear presented and I don't think any exist, I am very much against this.
  • comment Sam • Dec 15, 2015
    Thanks for that interesting point, Gregory. When do you think children have the ability to provide valid consent for their personal data to be collected and processed?