Child Consent

This new topic is needed because the content specifically addresses the unique conditions and requirements for obtaining valid consent from children in the context of information society services, which is distinct from general consent requirements and requires specialized treatment of age verification, parental involvement, and child-specific safeguards.

child consent children consent minor consent information society services child data processing parental consent child account age of digital consent

Overview

Legal Framework

The primary legal basis for processing a child's personal data based on consent is Article 8 of the General Data Protection Regulation (GDPR). It establishes a specific regime for information society services offered directly to a child. Where the child is below the age of 16, consent must be given or authorized by the holder of parental responsibility, unless a Member State provides by law for a lower age (not below 13). The Digital Services Act (DSA) complements this framework for online platforms, imposing obligations to assess and mitigate systemic risks, including those to minors' rights (DSA Recitals 1, 5).

Practical Application

Article 8 GDPR creates a dual requirement: verifying the user's age and, if below the threshold, obtaining verifiable parental consent. The regulation does not prescribe specific verification methods, but they must be reasonable and proportionate. In practice, this can involve technical measures, declaration checks, or using third-party services. The DSA reinforces this by requiring very large online platforms and search engines (VLOPs/VLOSEs) to implement tailored risk assessments and mitigation measures to protect minors, which inherently influences how consent mechanisms and platform design must function to prevent harm.

Key Considerations

  • Implement Proportionate Age Verification: Organizations must establish a method to distinguish child users. The chosen mechanism should be commensurate with the risks of the processing, avoiding unnecessarily intrusive checks for low-risk services.
  • Design for Parental Authorization: If a user is identified as a child, a robust process for obtaining and recording verifiable parental consent is mandatory. This process must be clear and accessible to the parent or guardian.
  • Prioritize Child-Centric Safeguards: Beyond obtaining consent, the principles of data protection by design and by default (Article 25 GDPR) require that settings for children be high-privacy by default. The DSA's risk mitigation obligations further necessitate designing services and algorithmic systems with the best interests of the child in mind.
Newest Relevant

Laws (7)

Recital 27

Oct 27, 2022 DSA

Recital 5

Oct 27, 2022 DSA

Recital 10

Oct 27, 2022 DSA

Recital 1

Oct 27, 2022 DSA

Recital 21

Apr 27, 2016 GDPR

Recital 32

Apr 27, 2016 GDPR

Article 8

Conditions applicable to child's consent in relation to information society services

Apr 27, 2016 GDPR

Case Law (3)

Bundesverband der Verbraucherzentralen v Planet49 GmbH

C-673/17 (Planet49)

Pre-ticked checkboxes do not constitute valid consent. Consent must be active.

Oct 1, 2019 CJEU

Google LLC v CNIL

C-507/17 (Google Territorial Scope)

Right to delisting does not require global de-referencing under EU law.

Sep 24, 2019 CJEU

GC and Others v CNIL

C-136/17 (GC and Others)

Conditions for delisting sensitive data from search results.

Sep 24, 2019 CJEU

Guidance (6)

Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)

Guidelines on the criteria of the right to be forgotten in the search engines cases under the GDPR (part 1)

Nov 21, 2025 EDPB

Version history

Nov 21, 2025 EDPB

ARTICLE 29 DATA PROTECTION WORKING PARTY

Guidelines on transparency

Nov 21, 2025 EDPB

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

Guidelines on the territorial scope of the GDPR

Nov 21, 2025 EDPB

Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679

Guidelines on codes of conduct and monitoring bodies

Nov 21, 2025 EDPB

Guidelines 05/2020 on consent under Regulation 2016/679

Guidelines on consent

Nov 21, 2025 EDPB

Enforcement (1)

Burwebs S.L.: Non-compliance with general data processing principles

€75,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined Burwebs S.L. EUR 75,000. Burwebs operates websites with adult content. During its investigation, the DPA found that Burwebs did not process users' data transparently. In addition, Burwebs retained users' personal data for an indefinite period of time. Further, the DPA found that Burwebs processed the data of minor users without requiring any parental consent. Burwebs also complicated the exercise of data subjects' rights under the GDPR and had not sufficiently informed

Nov 3, 2022 Spanish Data Protection Authority (aepd)

News (2)

States attempted to censor the online activities of children. Courts and the Electronic Frontier Foundation (EFF) largely managed to prevent this: a look back at 2025.

In at least a dozen states, lawmakers believe they can pass laws that prohibit young people from accessing social media, or that require them to obtain parental consent before logging in. Fortunately, almost all courts that have reviewed these laws have ruled that they violate the constitution. It's not just the courts telling these lawmakers they are wrong. The Electronic Frontier Foundation (EFF) has filed briefs with courts across the country over the past year, explaining how these laws violate the freedom of speech of young people, as protected by the First Amendment.

Dec 31, 2025 Electronic Frontier Foundation

DeFine is a calculator for GDPR fines based on method of the EDPB

> DeFine is a translation into a calculator of part of the methodology proposed by the European Data Protection Board to calculate GDPR fines (see EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 May 2022, available online; it was subject to a public consultation until 27 June 2022).

Feb 1, 2022 Kromann Reumert