Consent from minors: a good thing to do? On Wednesday February 7, 2018, the National Assembly adopted an amendment, adding to the Data Protection Act article 7-1, relating to the consent of minors to the processing of their personal data.
Consent linked to the direct provision of Information Society services to children
This article - a proposition to the French Law Commission - chooses to use the room for manoeuvre left to Member States by the GDPR by lowering from 16 to 15 years the age at which "a minor may consent alone to the processing of personal data with regard to the direct provision of Information Society services".
Two assumptions in which the application of this rule is based:
- the processing must be based on consent
- the processing must be linked to the direct offer of information society services, in particular to electronic commerce or, more broadly, to the Internet.
In such a case, the processing is lawful only if the holder(s) of parental authority have authorised it.
More specifically, consent related to the direct provision of Information Society services to children.
This article - proposed by the Law Commission - chooses to use the room for manoeuvre left to Member States by the GDPR by lowering from 16 to 15 years the age at which "a minor may consent alone to the processing of personal data with regard to the direct provision of Information Society services".
There are two presuppositions on which the application of this rule is based:
- the processing must be based on consent;
- the processing must be linked to the direct offer of information society services, in particular to electronic commerce or, more broadly, to the Internet.
In such a case, the processing is lawful only if the holder(s) of parental authority have authorised it.
More specifically, parental consent will be necessary in all cases where processing should be based on the consent of the data subject, for example in the case of automated decision making or collection of sensitive data. In addition to these classical cases, a combined reading of paragraph 38 of the preamble and Article 6-1-f) of the GDPR makes it possible, in particular, to specify that parental consent will be necessary in the case of "the use of personal data relating to children for marketing purposes or the creation of personality or user profiles and the collection of personal data relating to children when using services offered directly to a child", where the use of an adult's data for the same purposes could potentially be based on the legitimate interest of the data controller.
What are the necessary verifications?
Thus, in the event of processing of personal data (i) via an Internet service aimed in particular at children and (ii) based on the consent of these children, two confirmations would therefore be required:
(1) The first relates to the age of the person using the service (the current traditional methods can range from a simple declaration to a videoconference with the person and the sending of a copy of an identity document);
2) The second - in the case of a minor under 15 years of age - relating to the agreement of the holder(s) of parental authority (not very widespread today, although solutions similar to those mentioned above can be imagined).
In practice, how can one be certain of the age and/or identity of a user on the Internet?
During the debates on 7 February at the National Assembly, it was stressed that "all the companies interviewed acknowledged that it is impossible for them to verify the actual age of people registered on these networks, unless they implement profiling measures or carry out identity checks which would be completely contrary to the regulations".
In this respect, Article 8 of the GDPR specifies that the controller must make reasonable efforts to verify, where the child is under 15 years of age, "that consent is given or authorized by the holder of parental responsibility for the child, taking into account the technological means available".
This element - provided for in the initial Commission proposal in 2012 - seems to indicate on the one hand that the purpose of the checks does not concern the age declaration, and on the other hand that in the case of a declared age of less than 15 years, the ordinary requirement to demonstrate validity with regard to consent (parental in this case) will be reduced to a requirement to demonstrate reasonable efforts to verify such validity.
In this respect, the Article 29 Working Party was able to specify in its guidelines on consent that reasonable verifications would necessarily depend on the risks associated with the processing, ranging from verification by e-mail in case of low risk to a verification service by a trusted third party in case of high risk, and stressing that the solutions chosen must avoid excessive collection of additional personal data for verification purposes.
Other processes involving the data of minors
Except in the case specifically addressed by Articles 8 of the GDPR and 7-1 of the French Data Protection Act, the classic rules applicable to minors will apply. To date, this area is governed in France by the Civil Code, which states that "any person incapable of contracting may nevertheless perform alone the common acts authorized by law or custom, provided they are concluded under normal conditions".
This rule will apply in particular in the case of processing of personal data necessary for the performance of a contract or the provision of a service on the Internet (e.g. creation of an account on a platform for the provision of games) or for any processing of personal data not related to the provision of an information society service (e.g. paper form relating to sports club registration).
If the act can be considered routine and the conditions offered are normal, then the child can provide his or her personal data alone. Otherwise, parental consent is required, up to the age of 18, otherwise the processing is invalid. Both Article 8 of the GDPR and its transposition into national law favor information society services, in that the risk of invalidity of processing based on consent (and thus of sanction by the supervisory authorities) is ruled out as soon as the minor is over 15 years of age or reasonable checks have been carried out.
In France and as of May 25, 2018, parental consent will now be required instead of the consent of a minor under 15 years of age to the processing of his or her data on the Internet, and instead of the consent of a minor under 18 years of age in all other cases (with the exception of routine acts concluded under normal conditions).
Want to find out more about how to ensure GDPR compliance?
{{discover-didomi-for-compliance}}