GDPR must prioritise child protection

Almost a year into the GDPR era, research shows how well organisations are getting on with adhering to the new standards of EU data laws.

According to CISCO figures, 59% of companies surveyed say they are meeting all or most of the GDPR requirements, with a further 29% saying they should be up to standard within one year.

The study revealed data security, employee training and keeping up with evolving regulations are among the main compliance concerns of employers.

Following 12 months of high-profile data breaches and record-breaking fines issued by regulators against some of the world’s most powerful data handling companies, some experts fear that more needs to be done to highlight protection of children’s data.

In the States, companies violating children’s online privacy rights have mostly been punished under the US Children’s Online Privacy Protection Act regulation (COPPA), with notable cases including that of the Tik Tok app being fined $5.7 million for data handling malpractice.

Now, the European Data Protection Board (EDPC) has said it will adopt new guidelines on children’s data handling which will carry weight when the GDPR is enforced in cases that involve children.

Furthermore, the ICO has also been working on an Age Appropriate Design Code, to be release soon.

As Denise G Tayloe, CEO of US consent service provider, Privo, describes how processing children’s data will rely heavily on correct consents being in place, in the following key areas:

  • Privacy notices must be appropriate for the age of the child and inform them of their right to have personal data erased.
  • Write your privacy notice in clear, simple language so it is easy to understand.
  • Use child-friendly ways of communicating such as videos, diagrams, cartoons, or icons.
  • Explain simply why you need the personal data you’ve asked for and what you plan to do with it.
  • Explain what rights the child has and how to action them.

“Article 8 of the GDPR states conditions applicable to children’s consent in relation to information society services. Children under 16 merit specific protection, which includes adopting measures to verify a child’s age and managing meaningful and informed consent,” Ms Tayloe says.

“The GDPR has set the age of consent at 16, meaning users 15 years and younger need parent consent where applicable. However, Member States were able to voluntarily adopt a younger age of consent as low as 13,” she adds.

“Children have the same rights as adults regarding their personal data. These include the rights to access their personal data; request rectification; object to processing; and to have their personal data erased,”

“Compliance with the GDPR may require substantial shifts in the processes and technologies companies use to manage information. In the long run, it is an opportunity to provide transparency and trust with your end user,” Ms Tayloe continues.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.