On March 6, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on GDPR Implementation in Respect of Children’s Data and Consent (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the application of GDPR requirements to the processing of children’s personal data. The White Paper also highlights and addresses several issues raised by the Article 29 Working Party (the “Working Party”) with regard to children in its guidelines on consent and issues raised by the UK Information Commissioner’s Office in its Consultation on Children and the GDPR.
Key points of focus in the White Paper include:
- Emphasizing that while Article 8 of the GDPR imposes specific conditions to a child’s consent in certain circumstances, other legal processing bases are still applicable and sometimes more appropriate to the processing of children’s data;
- Presenting a risk-based test to determine whether an information society service is offered directly to a child and how this could be developed within the framework of the GDPR;
- Considering the application of GDPR provisions to children’s data outside the realm of Article 8, for example, requirements on transparency, the exercise of individual rights and marketing;
- Highlighting the importance of a consistent approach to implementing national age thresholds and the potential challenges that arise from a fragmented approach; and
- Underlining the difficulties that organizations may face post-GDPR with regard to the continuation of services to children who previously consented to processing, which now falls within the scope of Article 8 of the GDPR.
To read CIPL’s position on the points above, in addition to its other recommendations, please view the full White Paper.
The White Paper was developed in the context of CIPL’s ongoing GDPR Implementation Project, a multi-year initiative involving research, workshops, webinars and white papers, supported by over 90 private sector organizations.