When collecting personal data from minors online, how confident can you be that consent truly comes from parents? While the digital world empowers children with endless opportunities, safeguarding their privacy remains a crucial challenge. Most privacy laws require parental consent for minors, recognizing that children cannot grasp the implications of data processing. This article explores the legal requirements,  methods, and difficulties businesses face to obtain verified parental consent.

What is verified parental consent?

Most legal systems around the world agree that children are not capable of understanding the implications of consent and, thus, are not allowed to enter into a contract.  This also applies to privacy laws. In most privacy laws, children can only use age-appropriate services, that too only with the consent of their parent or guardian. This is due to two things:

  • Laws do not recognize contracts entered into by minors alone due to their limited understanding of implications.
  • Privacy laws extend this notion by requiring parent/legal guardian’s consent for minors to use online services.

Verified parental consent refers to obtaining consent from a parent or guardian and reasonably verifying their identity before collecting, using, or sharing a minor’s personal information. This verification is also important for offline activities.

The process of verified parental consent is complex, as businesses must balance legal compliance, child protection, parental rights, and user experience. 

GDPR and privacy of children

The General Data Protection Regulation (GDPR) is a privacy regulation established by the European Union to control the handling of personal data of European residents, including children, by private businesses. Given its global reach, businesses worldwide that process data of European residents must adhere to GDPR rules. Specifically, GDPR outlines provisions for the processing of minors’ data with parental consent.

Read: A 101 Guide to GDPR consent

There are three provisions in GDPR that deal with verified parental consent or consent regarding a child. Let us see what they are:

Article 8

Article 8 deals with conditions applicable to the consent of a child. Here is a breakdown:

  1. Age of consent
    • 16 and above: In this case, the consent of the person is enough to process the data.
    • Below 16: In this case, verified parental consent must be taken.

Note that the respective EU countries can lower the age of consent to as low as 13, depending on their respective laws. 

  1. The controller (responsible for deciding what to do with the collected personal data) must make reasonable efforts to verify the parent’s identity when obtaining consent, using available technology. This could also mean that the controller should make efforts to incorporate newer technologies to obtain and verify parental consent. 
  2. The consent given for processing the personal data does not imply consent to a contract. This means that consent to service terms and conditions is distinct from consent for the processing of personal data. Both must be obtained separately.

Recital 38

This GDPR Recital states that children’s data requires special protection, as they are less likely to be aware of consequences concerning their personal data and their rights related to it.

It highlights where special protection is particularly important:

  • Marketing and profiling: Children are more prone to manipulation and exploitation, especially online. Targeted ads, especially the ones focused on adult products (e.g. cigarettes or vapes), would negatively influence children. Therefore, they require special protection.
  • Services offered directly to children: There would be services directly offered to children. Even basic information collected from children can create vulnerabilities. E.g. websites with games intended for adults may unintentionally expose children to mature content through targeted advertisements if data is collected from their interactions with the site. Therefore special consideration must be taken to prevent such circumstances.

While it is important to obtain verified parental consent,  it also acknowledges that children have some autonomy, and their development requires it. Therefore, in some cases, such as preventive or counseling services, verified parental consent may not be required. 

Recital 58

Recital 58 does not explicitly mention children’s privacy. It emphasizes the need for transparency and states that any information directed at the public must be in simple language. More so in the case of children. Since they are the most vulnerable group, information or communication addressed to children must be in clear and plain language that they can understand. 

How to verify parental consent?

Since neither the GDPR nor the authorities, including the European Data Protection Board (EDPB), give clarifications or guidelines on methods to obtain verified parental consent, we will rely on the Federal Trade Commission (FTC) to understand how verified parental consent can be obtained. FTC shares seven methods through which a business can verify a parent’s consent. We are following the FTC guidelines as the Children’s Online Privacy Protection Act (COPPA) is the only law exclusively dealing with the online privacy of children. In addition to this, we will also consult the Future of Privacy Forum’s (FPF) discussion draft on the same. Let us discuss the seven methods that the FTC recommends.

Forms

Parents can download a form, fill it out, and then upload it by scanning, providing a simple and cost-effective way to verify parental consent.

Phone call

Parents can call a toll-free number to verify their identity with a trained person. While a simple method, it is comparatively expensive when used by businesses that would have a higher number of verifications.

Video conference

Parents can connect via video conference with trained personnel to confirm consent and verify identity. A similar method is used by neobanks like Fi in India for identity verification, where customers have to say aloud a set of numbers while their video is being recorded. This confirms the identity of the person signing up. Like phone calls, this too could be expensive.

Photo comparison

Take a photo and compare it with a Photo ID submitted by the person, using AI or similar technology. 

Database

Provide a government identifier and validate it against a government database. 

Credit/debit card transaction

Make a credit card/ debit card transaction (often a minimum amount, which may be refunded) to verify their identity. This is under the assumption that only the person who owns the card would make the transaction.

Knowledge-based questions

Ask a series of knowledge-based questions that only the parent would be able to answer.

This verification has to be done before collecting, using, or disclosing personal information from a child. Although these methods seem simple, there are friction points or reasons why the parent would not want to use them. You can see what these friction points are, what they mean, and which one to apply to which methods of collection in the following section.

What are the friction points in verified parental consent?

Friction points are reasons that make a parent not verify their consent. While some of these points may seem trivial, for a parent it could be a very serious reason not to engage with the service provider. The following are some friction points concerning parental consent verification methods:

Convenience

Some parents may methods like a signed form or a phone call inconvenient. This may be due to the time taken or the tools required (such as a printer or scanner to use the form).

Hesitancies

Some parents may not be comfortable sharing sensitive information, such as credit/debit cards, databases, photo comparisons, and knowledge-based questions that some verification methods may involve.

Accessibility 

All of the methods have this problem. While we assume that every person will have the resources for these methods, there will still be people who may not be able to afford resources for verification. Even if they can, the quality may not be at par with the requirements.

Efficacy

Not all the methods discussed are effective, as they can be executed by someone other than a parent. For example, a child might access the parent’s credit/debit card to confirm the identity without the parent’s knowledge. Thus the efficacy of these methods is not 100%. 

Security/privacy

With the world getting digitalized more and more, the risks for privacy and security are rising. The public is now more than ever aware of online transaction risks. They are concerned about their security and privacy during identity verification, which could be used for crimes like identity theft.

To fully understand the significance of the friction points, we have to correlate them with the methods of verifying consent as follows

 

When choosing a method for parental identity and consent, the main focus of businesses must be on weighing the pros and cons of all the methods against the friction points. They must ensure that it does not hinder any business activities and stays within the budget constraints. It is also crucial to use the appropriate method based on the situations they will be used. For example, if verification is required for collecting data on school students in a comparatively poor area, the businesses must ascertain the accessibility of the tools before deploying the method. 

Is verified parental consent enough?

While verified parental consent is crucial for children’s privacy, it’s not the only requirement. Transparency is key under GDPR. When you visit any website, you’ll see a cookie and a privacy policy, meeting GDPR’s transparency rule. But, for children, a regular privacy policy won’t suffice. GDPR’s Article 12(1) mandates a privacy policy that is concise, transparent, easy to understand, and easily accessible. It should also be in simple and clear language. This means a child’s privacy policy must be written in a way that’s clear and simple, meant for a child, not an adult.

Generate legally compliant privacy policy for your business

Create a free privacy policy

*Generate instantly. *No signup required.

Information for the parents

Guardians/parents should receive information about their wards/children. They need to be aware that the rights granted to adults under the regulation are also applicable to their children.

Technical and organizational measures

Article 32 requires the controller to implement technical and organizational measures to ensure the safety of the data processing. This includes pseudonymization, access control, data minimization, age-appropriate design ( designing apps and services keeping in mind the needs of children, such as simpler settings and languages), etc.

Conclusion

Navigating the maze of verified parental consent to comply with GDPR can be daunting. Even with the methods discussed, there is no foolproof way to get verified consent. Moreover, the friction points also make it difficult to obtain verified parental consent. However, this also points to the potential opportunities in the field. By ensuring child-centric design, data minimization, and transparency, a more privacy-focused approach can be taken. This may, to an extent, reduce the apprehension of parents regarding security and privacy. Consequently, it would help businesses find more effective ways to obtain and verify parental consent as well as tackle issues specific to children’s privacy.

FAQ on verified parental consent

What is verifiable consent?

Verifiable consent refers to obtaining clear, voluntary, informed, and specific consent from a person before collecting their personal data.  

How do you verify parental consent?

There are various methods to verify the consent of a parent. It includes using a form to fill out questions, matching the identification number against a database, comparing photo ID, etc. 

Do all the EU countries have the same requirements?

No, the minimum age that defines a child in the context of GDPR differs from country to country. But this does not go below the age of 13 or above 16. 

What happens if the consent of a parent is not verified?

When the controller does not verify the consent of a parent, they can potentially get fined. This would be in addition to the loss of reputation, business, and trust of the consumers of the controller. 

Do I need to get verified parental consent if my business is not situated in the EU?

Yes, according to GDPR, you must get verified parental consent if your business collects personal data of minors located in the EU, regardless of the physical location of your business.

Author’s bio: Vishnuprasad is a Legal Analyst at Mozilor. He possesses diverse legal expertise, spanning from contract law to privacy law. He is passionate about the interplay between technology and the laws governing them. When he’s not navigating the complexities of tech law, you can find him in the library, reading.