What are the rules about an ISS and consent?
In detail
- What do we need to do if we intend to use children’s personal data to offer an online service to a child?
- What does Article 8 say?
- What is the definition of an ISS?
- When is an ISS ‘offered directly to a child’?
- When does the UK age limit apply?
- What does Article 8 of the UK GDPR require?
- What do we have to do if we offer an ISS directly to children?
- What does ‘reasonable efforts’ mean?
- What about children's consent and cookies?
What do we need to do if we intend to use children’s personal data to offer an online service to a child?
If you intend to use children’s personal data to offer an online service to a child then you must do a DPIA to establish whether your processing will result in a high risk to the rights and freedoms of your data subjects. This is because offering online services to children is one of the circumstances that the ICO considers is likely to result in such a risk. For further guidance please see our detailed guidance on Data Protection Impact Assessments.
What does Article 8 say?
Article 8 of the UK GDPR applies where you are offering an information society service (ISS) directly to a child. It does not require you to always get consent for the processing of children’s personal data in this context, but if you choose to rely on consent it sets out further conditions as follows:
“1. Where point (a) of Article 6(1) applies in relation to the offer of information society services directly to a child the processing of the personal data of a child shall be lawful where the child is at least 13 years old. Where the child is below the age of 13 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
3. Paragraph 1 shall not affect the general contract law as it operates in domestic law such as the rules on the validity, formation or effect of a contract in relation to a child.”
What is the definition of an ISS?
The basic definition of an ISS in Article 1(1)(b) of Directive (EU) 2015/1535 is:
“any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
For the purposes of this definition:
(i) ‘at a distance’ means that the service is provided without the parties being simultaneously present;
(ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;
(iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.”
Essentially this means that most online services are ISS, even if the ‘remuneration’ or funding of the service doesn’t come directly from the end user. For example an online gaming app or search engine that is provided free to the end user but funded via advertising still comes within the definition of an ISS.
It generally includes websites, apps, search engines, online marketplaces and online content services such as on-demand music, gaming and video services and downloads. It does not include traditional television or radio transmissions that are provided via general broadcast rather than at the request of an individual.
If you are uncertain whether your service is an ISS or not then we recommend you take your own legal advice, or refer to the following ‘further reading’ which provides more detailed clarification.
Further reading
Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (1)
2000/31/EC (the Directive on electronic commerce: recital 18)
CJEU Judgement Ker-Optika, Dec 2010 (C-108/09, paragraphs 22 and 28)
CJEU Judgement Uber, May 2017 (C-434/15, paragraphs 30-37).
When is an ISS ‘offered directly to a child’?
Any ISS which explicitly states that it is for children, or has children of any age as its target audience is clearly being offered directly to a child.
The ICO also considers an ISS is offered directly to a child when it is made available to all users without any age restrictions or when any age restrictions in place allow users under the age of 18.
If an ISS is only made available to users who are aged 18 and over then it is not being offered directly to a child. However, if your ISS states that it has such an age limit then, in the event of a complaint, we may look for evidence that the limit is applied in practice, and not just in theory, when deciding whether Article 8 applies. We may consider evidence such as site content, marketing plans, systems or processes designed to limit access, and information provided to users, in this respect.
This means that you need to carefully consider your target audience, and be clear about what age group you intend to allow to access your ISS. If you decide not to offer your ISS to children then you need to consider how to mitigate the risk of them gaining access, using measures that are proportionate to the data protection risks inherent in the processing.
Because online processing of children’s personal data is likely to be high risk processing you must use a data protection impact assessment to help you in this task and to evidence and explain your approach to processing.
What is the UK age limit?
Article 8 of the UK GDPR sets the age at which children can consent to the processing of their personal data in the context of an ISS at 13 years old.
If you have an establishment anywhere in the UK the ICO expects you to respect the UK age limit when you process the personal data of UK based children.
If you are an ISS provider who does not have an establishment anywhere within the UK, but you actively seek or pursue the use of your service by UK based children, we expect you to respect the UK age limit when you process the personal data of UK based children.
If you do not have an establishment anywhere in the UK and you don’t actively seek or pursue the use of your service by UK based children you don’t need to meet the UK requirements as your processing falls outside the territorial scope of the UK GDPR.
What does Article 8 of the UK GDPR require?
In circumstances where you are offering an ISS directly to children and you wish to rely upon consent as your lawful basis for processing their personal data, Article 8 of the UK GDPR provides that:
- only children aged 13 years and over may lawfully provide their own consent for the processing of their personal data;
- an adult with parental responsibility must provide consent for processing if the child is under 13; and
- in such cases you must make reasonable efforts, taking into consideration available technology, to verify that the person providing parental consent does, in fact, hold parental responsibility for the child.
If your ISS is an online preventive or counselling service Section 9 of the Data Protection Act 2018 provides that the Article 8 requirements do not apply and Recital 38 of the UK GDPR says that parental consent should not be required. This indicates that in this context either it will be in the best interests of the child to accept their own consent or that another basis for processing (such as public task or legitimate interests) may be more appropriate.
What do we have to do if we offer an ISS directly to children?
If you offer your ISS directly to children and wish to rely upon consent as your lawful basis for processing, then you have to make sure that anyone providing their own consent to the processing is old enough to do so. Although the UK GDPR does not contain an explicit ‘age of consent’ verification requirement, this is the implication of Article 8. If you do not verify this then this may result in you processing a child’s personal data without valid consent. You do not have to verify the exact age of the data subject in this context: you only need to establish that they are old enough to provide their own consent.
As there is no ‘reasonable efforts’ qualification to obtaining valid consent, it remains a matter of fact whether you have obtained the lawful consent of someone who is able to give it for themselves or not. However, in practice, in the event of a complaint, we will consider whether you have made reasonable efforts to verify that the data subject is old enough to provide their own consent, taking into account the risks inherent in the processing and the available technology.
The UK GDPR also explicitly requires you to make reasonable efforts, taking into consideration the available technology, to verify that any person giving consent on behalf of a child who is too young to provide their own consent, does in fact hold parental responsibility over the child.
A data protection impact assessment should help you to decide what steps you need to take to verify age and parental responsibility. It may also help you to evidence that they are reasonable in the event of a complaint to the Commissioner.
Further reading
Article 29 Working Party Guidelines on consent under Regulation 2016/679, WP258
EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
What does ‘reasonable efforts’ mean?
This varies depending upon the risks inherent in the processing and the technology that is available.
For example, you may wish to request an email address for a child who wants to subscribe to a band’s e-newsletter via a website. As long as you are only going to use the email to send the requested e-newsletter, you may consider that the risks involved in collecting this personal data are at the lower end of the risk spectrum. A reasonable effort in this circumstance might therefore entail simply asking for a declaration that the user is old enough to provide their own consent, or a declaration of parental consent and responsibility, via a tick box or email confirmation. You may consider that further checks are not reasonable (or indeed practical) and that these steps are sufficient given the low risk to the child of the proposed processing.
However, if your ISS allows individuals to post personal data via an unmonitored chat room, it becomes more risky to allow a child to participate. You therefore need to adopt more stringent means to verify the consent you’ve obtained. For example, you may decide to use a third party verification service - to verify that the child is old enough to provide their own consent, or to check the identity of the person claiming parental responsibility and confirm the relationship between them and the child.
The implied need to age-verify raises the issue of how you can do this remotely and in a privacy friendly way with the minimum need for collection of ‘hard identifiers’ such as passport scans or credit card details. Collecting excessive information is unlikely to comply with the data protection by design approach in the UK GDPR. There is also the additional challenge that in the UK 13-17 year olds are likely to have a more limited range of identity documents available to them than adults.
The ICO recognises that your ability to undertake age verification in order to manage consent for online processing may be dependent upon the availability of suitable technologies and age verification mechanisms in the marketplace.
You should be wary of mechanisms that involve detailed collection and retention of any individual’s personal data as this raises further data protection concerns. It is preferable to use ‘attribute’ systems which offer a yes/no response when asked if an individual is over a given age, or if this person holds parental responsibility over the child.
If you do collect personal data for the purposes of satisfying Article 8 then you need to make sure that you process it in accordance with all the requirements of the UK GDPR. This includes:
- minimising the data that is collected;
- not retaining it beyond the time that it is needed; and
- adequately protecting it.
At present in the UK it may not be easy in such online circumstances for all groups of adults to prove they actually hold parental responsibility for a child. For example parental responsibility for ‘looked after’ children is decided by the family courts and may be officially held by a corporate body but delegated for day-to-day purposes to the person providing the care. There may also be other situations where aspects of parental responsibility are delegated to third parties for day to day practical purposes. It may therefore, be reasonable instead to accept a verification which relies upon a declaration or statement of relationship from a verified adult. For example, a verified adult providing a declaration that they are a foster carer with day to day parental responsibility for a looked after child.
How reasonable this approach is considered to be will depend on the availability of verification services in the marketplace and the ease of using them. Longer term the option of formally certified age verification services under the UK GDPR may be possible. We envisage that verification will become easier over time as the technology becomes available. The ‘reasonable efforts’ expected will therefore change as the marketplace develops but your approach should remain the same: evaluate the risk and in the light of those risks make reasonable efforts to verify that you have valid consent.
What about children’s consent and cookies?
The consent requirements for cookies are defined by the Privacy and Electronic Communications Regulations 2003 rather than the UK GDPR and so aren’t the subject of this guidance. They basically provide that either the ’user’ (the person using the ISS) or the subscriber (the person who has a contract with the internet service provider) must consent to the setting of cookies and similar technologies on the equipment (desktop computer, laptop, mobile device etc) being used. This is not quite the same as consenting to the processing of personal data in UK GDPR terms. However, it remains the case that for consent to be valid the person providing it must understand what they are consenting to. This means that you need to take proportionate measures, taking into account the risks inherent in technology being used, to ensure that a child providing their own consent is competent to do so. Further information on what this means in practice will be provided when our guidance on cookies is updated.
Further reading
Read the Guide to PECR for more information.