The first principle of data protection law is that personal data must be processed fairly and lawfully, and that one or more specified conditions must be met. Perhaps the most important of those conditions affecting the collection and use of personal data via websites is: “The data subject has given his consent to the processing” (Data Protection Act 1998, Schedule 2, paragraph 2). This raises the question of when a child can be taken to have consented to the processing of his or her personal data.
The DPA 1998 does not itself explicitly deal with the issue of obtaining consent from children. However, the Information Commissioner has written: “Websites that collect information from children must have stronger safeguards in place to make sure any processing is fair. You should recognise that children generally have a lower level of understanding than adults, and so notices explaining the way you will use their information should be appropriate to their level, and should not exploit any lack of understanding. The language of the explanation should be clear and appropriate to the age group the website is aimed at. If you ask a child to provide personal information you need consent from a parent or guardian, unless it is reasonable to believe the child clearly understands what is involved and they are capable of making an informed decision” (The Data Protection Good Practice Note: Collecting personal information using websites).
So, privacy policies should be extra-prominent and extra-clear. A very young child may never be able to give adequate consent; whereas, an older child may be able to give adequate consent in many different circumstances.
The Information Commissioner does go on to refer to a particular age threshold: “The Act does not state a precise age at which a child can act in their own right. It depends on the capacity of the child and how complicated the proposition being put to them is. As a general rule, we consider the standard adopted by Trust UK (www.trustuk.org.uk) to be reasonable: ‘TrustUK approved webtraders recognise children need to be treated differently from adults. They will not market their products in any way that exploits children, nor will they collect information from children under 12 without first obtaining the permission of a parent or guardian. They will not collect personal data about adults from children.‘”
There are particular pitfalls for the operators of social networking websites, other websites which publish user generated content, and websites that collect information that is passed on to third parties: “There are certain practices that are likely to breach the Act, for example, collecting information about other people from children, and enticing children to reveal information to win a prize or similar. If you are going to disclose or transfer personal information collected from children to third parties, you need to have the explicit and verifiable consent of the child’s parent or guardian, unless you can be sure that the child really appreciates what is going on and the consequences of their actions. If you want to publish a child’s personal information on the internet, you should usually get the verifiable consent of the child’s parent or guardian. Whether you need the parents’ or guardians’ consent for the publication, or that of the child, will depend on the circumstances, in particular, the child’s age and whether you can be sure the child fully understands the implications of making their information available on the internet.”
An obvious question arises: how can parental consent be verified? The Commissioner states: “If you need parental consent, you must have some way of verifying this. It will not usually be enough to ask children to confirm their parents have agreed by using a mouse click. If you need parental consent but decide that verifying the consent will involve disproportionate effort, you should not carry out your proposed activity.” There are a wide range of methods which may be used to verify parental consent, some of which are stronger than others. For example, you might ask for a nominal credit card payment to be made before the child can access the relevant functionality, or you might telephone parents to verify consent.
Note: there are is a dedicated US law concerning the online collection of children’s personal data. The Children’s Online Privacy Protection Act of 1998 (COPPA) applies to commercial websites that are directed at children under 13 or, even if not so directed, knowingly collect information from children under the age of 13. The most far-reaching provision of COPPA requires that such websites must, before collecting, using or disclosing personal information from a child, obtain verifiable consent from the child’s parent. This is why many US-orientated websites prohibit children under 13 from registering and using the website.