Compliance with the Fundamentals

The Fundamentals have immediate application and operational effect, now forming the basis for the DPC's approach to supervision, regulation, and enforcement in the area of processing of children's personal data.

The Fundamentals provide that they should be read in conjunction with other guidance issued by the DPC and that they should not be taken to cover all the obligations applied under the GDPR (section 1.1 of the Fundamentals). In addition, the Fundamentals emphasise that organisations have two choices (section 1.4 of the Fundamentals):

• to either apply the requirements of the Fundamentals to the services they offer holistically; or
• to alternatively take a risk-based approach to verifying the age of their users so that they can ensure that they apply the requirements of the Fundamentals to the processing of their child users' personal data.

The DPC notes that complying with an age-appropriate or child-oriented regime of data protection will involve costs and take creativity on the part of service designers; however, children are one in three users, and represent the adult market of the future. Therefore, the DPC provides that a healthy and supportive relationship with children is, in the long-term, to the benefit of brands and businesses across all sectors.

Intended organisations

The Fundamentals are intended for organisations (section 1.3 of the Fundamentals):

• that provide services that are directed at, intended for, or likely to be accessed by children;
• that provides services who have mixed-user audiences including children, even if the service in question is not primarily intended for children;
• who provide offline services including, among other educational providers, sports and social clubs and communities, and health and social support providers; and
• in the digital context, websites, apps, and other Internet of Things services which provide social media, media sharing, gaming, entertainment, educational, advocacy, health and social care, or support services.

The Fundamentals provide a non-exhaustive list of factors that will assist organisations in assessing whether a website, app, or other online services is likely to be accessed by children (section 1.3 of the Fundamentals):

• the subject matter or nature of the site or service;
• its visual content;
• the use of animated characters or child-oriented activities and incentives;
• music or other audio content;
• the age of models;
• the presence of child celebrities or celebrities who appeal to children;
• language or other characteristics of the website or online service;
• whether ads promoting or appearing on the website or online service are directed at children;
• the age of users on similar services; and
• independent research.

The Fundamentals

Fundamental 1: Floor of protection

Online service providers should provide a 'floor' of protection for all users (i.e. apply the requirements of the Fundamentals to the services they offer holistically, so that all users (irrespective of whether they are under 18 or not) benefit from a high and standardised level of data protection sufficient to protect the rights of any child users, unless they take a risk-based approach to verifying the age of their users so that the protections set out in these Fundamentals are applied to all processing of children's data (section 1.4 of the Fundamentals).

Fundamental 2: Clear-cut consent

When a child has given consent for their data to be processed, that consent must be freely given, specific, informed, and unambiguous, made by way of a clear statement or affirmative action by the data subject (section 2.4 of the Fundamentals).

In particular, the Fundamentals note that organisations should ensure that, where they are relying on the consent of a child to process their personal data, the child is given a real choice over how their personal data is used and that they have the capacity to provide informed consent, e.g. to understand exactly what it is they are consenting to. Where practicable, an assessment of capacity in addition to age provides a good understanding of the likely capacity at which a child may be able to comprehend a demand or situation, or an age where what is being demanded is beyond their capacity. Moreover, the Fundamentals advise that data controllers should also take into account any imbalance of power that might be inherent in their relationship with the child, and must consider whether the consent being provided by the child can truly be deemed to be 'freely given'.

Fundamental 3: Zero interference

Online service providers processing children's data in reliance on the legal basis principle should ensure that the pursuit of legitimate interests do not interfere with, conflict with, or negatively impact, at any level, the best interests of the child (section 2.4 of the Fundamentals).

The Fundamentals further provide that the interests and/or fundamental rights and freedoms of child data subjects should always take precedence over the rights and interests of an organisation, which is processing children's personal data for commercial purposes.

In addition, the Fundamentals note that in the circumstances where there is any level of interference with the best interests of the child, the principle of legal basis will not be available for the processing of children's personal data, meaning that organisations must carefully examine all of their processing operations on a case-by-case basis with regard to these conditions.

Fundamental 4: Know your audience

Online service providers should take steps to identify their users and ensure that services directed at, intended for or likely to be accessed by children have child-specific data protection measures in place (section 3.1 of the Fundamentals).

Specifically, the Fundamentals highlight that it is vital that organisations know their audiences so that they can tailor their transparency information for optimum accessibility and understandability. However, the Fundamentals note that the DPC is not proposing that organisations must necessarily provide two separate sets of transparency information for adults and children where they have a mixed audience of child and adult users. In fact, if the information is clear and simple enough for a child to understand, then it will also comply with the transparency requirement in relation to adult data subjects.

Fundamental 5: Information in every instance

Children are entitled to receive information about the processing of their own personal data irrespective of the legal basis relied on and even if consent was given by a parent on their behalf to the processing of their personal data (section 3 of the Fundamentals).

The Fundamentals emphasise that whilst considering the age appropriateness of the language in the information provided by an organisation, children may require information in different formats and at different times in the user journey in order to fulfil the requirements under Article 12 of the GDPR.

Fundamental 6: Child-oriented transparency

Privacy information about how personal data is used must be provided in a concise, transparent, intelligible, and accessible way, using clear and plain language that is comprehensible and suited to the age of the child (section 3 of the Fundamentals).

Notably, the Fundamentals highlight that where organisations fall within the scope of application of the Fundamentals, organisations must assess how to ensure meaningful transparency for child users, according to the age ranges of child users. Accordingly, the Fundamentals note that this may mean implementing child-specific measures which vary according to the audience age ranges of child users or alternatively ensuring that, in the case of mixed audiences where the organisation decides to provide only one set of transparency information, the timing for delivery of this information is meaningful and the mode(s) of delivery and content are clear and simple enough for children of different age groups to easily access and understand.

In addition, the Fundamentals note the information provided should also be available in an obvious, easy-to-find place, e.g. not in tiny writing at the bottom of a webpage or app screen, or in a way that nudges the user to accept i.e. by appearing as a pop up or making the option to consent more obvious or less obstructive to the user experience than the option to find out more or withhold consent. The Fundamentals also provide that children should not have to search for the aforementioned information.

Furthermore, the Fundamentals advise that careful consideration should be given to what methods are more likely to appeal to children using a particular service, according to age and developmental stages. In this regard, the Fundamentals recommend organisations to consider using non-textual measures, such as cartoons, videos, images, icons, or gamification, depending on the age ranges of their users, to convey data protection information to children and young people more effectively, as these methods are more likely to resonate with children than blocks of text. In addition, the Fundamentals advise organisations to present children with the core data protection information up front and that children should be actively encouraged by organisations to find out more about how their own personal data will be used and how that use will affect them, for example by means of click-through buttons.

Alongside the above methods to convey transparency information to children, the Fundamentals further recommend the following:

• organisation should provide transparency information throughout the user experience; particularly using methods such as 'just-in-time notifications';
• children and young people should be able to contact organisation in an easily accessible way; and
• organisation should provide clear explanations to children of user control choices and default settings, i.e. why certain settings are automatically switched to off or denied to them by default.

Fundamental 7: Let children have their say

Online service providers shouldn't forget that children are data subjects in their own right and have rights in relation to their personal data at any age. The DPC considers that a child may exercise these rights at any time, as long as they have the capacity to do so and it is in their best interests (section 4.1 of the Fundamentals).

Accordingly, the Fundamentals highlight that the DPC does not consider that it is appropriate to set a general age threshold as the point at which children should be able to exercise their rights in their own behalf but to be used in conjunction with a number of other criteria, including, among other things the age and maturity of the child i.e. as demonstrated by interactions between the child and the organisation in question and whether enabling the child to exercise their data protection rights themselves is in the best interest of the child.

In addition, the Fundamentals emphasise that if an organisation decides that it will not facilitate a child to exercise their data subject rights, they should explain to the child, in a transparent and easy to understand manner, the reasons it decided not to comply with the request and that they can ask their parent, guardian, expert third party or advocate to make the request on their behalf to the organisation.

Fundamental 8: Consent doesn't change childhood

Digital consent obtained from children over the age of digital consent (i.e. 16 or over in Ireland), or from the guardians or parents of children under the age of digital consent, should not be used as a justification to treat children of all ages as if they were adults (section 5.1 of the Fundamentals).

In relation to consent, the Fundamentals provide that the requirements around the age of digital consent do not impose restrictions on a child being able to access a service. Instead, the age the age of digital consent sets the threshold for the age at which a child can give their own consent to online service providers to process their personal data. Moreover, the Fundamentals provides that collecting consent in accordance with Article 8 of the GDPR is an opportunity for the online service to provide an age-appropriate data protection regime, by default, adapted to the age rangers of users.

Fundamental 9: Your platform, your responsibility

Companies who derive revenue from providing or selling services through digital and online technologies pose particular risks to the rights and freedoms of children. Where such a company uses age verification and/or relies on parental consent for processing, the DPC will expect it to go the extra mile in proving that its measures around age verification and verification of parental consent are effective (section 5.2 of the Fundamentals).

The Fundamentals note that although the GDPR does not require organisations to carry out age verification in order to comply with Article 8 of the GDPR, it does require organisations to make 'reasonable efforts' to verify, where a child is below the age of 16 in Ireland, that consent is given or authorised by the holder of parental responsibility over the child. Therefore, organisations must fully explore all of the technology options available to them and maximise innovation. In addition, the Fundamentals provide that the DPC considers that a proportionate and risk-based approach should be adopted when establishing whether a user is a child, particularly requiring greater stringency or levels of certainty provided by the particular verification process where the processing of personal data undertaken by the organisation poses higher risks to the user.

The DPC considers that methods endorsed by equivalent regulators in other jurisdictions could also act as a blueprint for the types of methods which may equally be deployed for GDPR compliance purposes. For example, the Fundamentals note that in the USA, the Federal Trade Commission has endorsed the following methods with similar obligations:

• signing a consent form and sending it to the organisation via fax, mail, or electronic scan;
• using a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder
• calling a toll-free number staffed by trained personnel;
• connecting to trained personnel via a video conference;
• providing a copy of a form of government issued ID which the organisation checks against a database, which is then deleted upon conclusion of the verification process;
• answering a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer; or
• verifying a picture of a driver's licence or other photo ID submitted by the parent and then comparing that photo to a second photo submitted by the parent, using facial recognition technology.

Ultimately, the Fundamentals emphasise that it is up to the organisation to decide what verification methods are most appropriate and proportionate to the processing which are carried out. Additionally, the DPC considers that a higher burden of proving reasonable effort applies to technology and internet companies, whose business models are predicated on deployment of digital and online technologies, in light of the higher risks to the data protection rights of users who utilise their services.

Fundamental 10: Don't shut out child users or downgrade their experience

If an organisation's service is directed at, intended for, or likely to be accessed by children, the organisation can not bypass their obligations under the GDPR, particularly Article 8 of the GDPR, simply by shutting them out or depriving them of a rich service experience (section 5.4 of the Fundamentals).

Similarly, the DPC considers that the user experience offered to child users should be adapted in order to minimise, to the greatest extent possible, the risks posed to children from the processing of their personal data in the context of using or accessing a service, without a deterioration in the overall user experience and the availability of the central features, for which children primarily access the service. Likewise, high levels of Data Protection by Design and Default also ensure that children are not targeted with age-inappropriate content, such as pornography.

Fundamental 11: Minimum user ages aren't an excuse

Theoretical user age thresholds for accessing services does not displace the obligations of organisations to comply with the controller obligations under the GDPR, and the standards and expectations set out in the Fundamentals where 'underage' users are concerned (section 5.5 of the Fundamentals).

The Fundamentals provide that, where a service provider stipulates that their service is not for the use of children below a certain age, they should take steps to ensure that their age verification mechanisms are effective at preventing children below that age from accessing their service. If an organisation considers that it cannot prevent children below its stipulated age threshold from accessing its service, then the organisation should ensure that appropriate standards of data protection measures are in place to safeguard the position of child users, both below and above the organisation's official user age threshold.

Fundamental 12: A precautionary approach to profiling

Online service providers should not profile children and/or carry out automated decision making in relation to children, or otherwise use their personal data, for marketing or advertising purposes due to their particular vulnerability and susceptibility to behavioural advertising, unless they can clearly demonstrate how and why it is in the best interests of the child to do so (section 6.2 of the Fundamentals).

In connection to this, the DPC does not consider that it is in the best of children to show them advertisements for games, services, products, or videos etc. which they might be interested in, where such advertisements are based on profiling. Therefore, there is a high burden of proof on the organisation to show how it is in the best interests of children to process their personal data for the purposes of profiling and/or automated decision making, or otherwise, in order to advertise or market to them.

The DPC therefore considers that there will be a very limited range of circumstances where the profiling of children and/or the use of automated decision-making concerning children are legitimate and lawful activities under the GDPR.

In any event, if an organisation decides to profile and/or engage in automated decision-making about children for any purpose, the DPC notes that the organisation must first carry out a Data Protection Impact Assessment ('DPIA') to establish whether their processing will result in a high risk to the rights and freedoms of children. The best interests of the child must be a critically considered factor in the carrying out of a DPIA concerning the processing of children's personal data. If an organisation decides that it is actually in the best interests of children to profile them and/or engage in automated decision-making about them for a particular purpose, that organisation must be able to demonstrate that it has appropriate safeguards in place to protect children.

In respect of direct marketing, the Fundamentals clarify that, should organisations decide to conduct electronic direct marketing activities towards children, they should be able to demonstrate how this is in the best interests of the child, irrespective of any business model or commercial interests of the organisation.

In addition, the Fundamentals recommend that where a product or a service uses cookies, the organisation should conduct audits to establish how these cookies might be used to profile individuals and they should have particular regard for how children may be targeted as a result of their use. Any user interface seeking consent for the use of cookies should, especially where the product or service is targeted at children:

• be easy to understand;
• comply with the transparency principles;
• comply with the principles concerning profiling of children for advertising or market purposes; and
• provide clear and comprehensible information written in a child-friendly way to explain what cookies do and how the information obtained through the use of cookies will be used, and by what other organisations.

Fundamental 13: Do a DPIA

Online service providers should undertake a DPIA to minimise the data protection risks of their services, and in particular the specific risks to children which arise from the processing of their personal data. The principle of the best interests of the child must be a key criterion in any DPIA and must prevail over the commercial interests of an organisation in the event of a conflict between the two sets of interests (section 7.1 of the Fundamentals).

The Fundamentals emphasise that a child-oriented DPIA is the first step in mitigating risk arising from processing children's personal data, and will be seen as a key act of compliance with existing legal requirements for protecting the position of children as data subjects. Moreover, the DPC recommends as part of a child-oriented DPIA, organisations should consider conducting Child Rights Impact Assessments, which may be used as a tool for translating the best interests of the child principle into practice.

Fundamental 14: Bake it in

Online service providers that routinely process children's personal data should, by design and by default, have a consistently high level of data protection which is 'baked in' across their services (section 7.2 of the Fundamentals). Therefore, the Fundamentals highlights that data protection measures should be built into the architecture and functioning of a product or service from the very start of the design process, rather than being considered after the development phase, and that the strictest privacy settings should automatically apply to a product or service.

In addition, the Fundamentals provides that an organisation should be able to show how the best interests principle has driven the design, development, implementation and/or operation of any service which is directed at or intended for, or is likely to be accessed by, children and how measures implemented are effective in achieving this.

The Fundamentals provides a non-exhaustive indicative list of recommended measures for incorporating Data Protection by Design and by Default to promote the best interests of child users, which includes:

• default privacy settings - ensure the strictest privacy settings apply to services directed at, intended for, or likely to be accessed by, children;
• user choice - ensure that in a mixed-audience setting, child users have meaningful, clear and plain choice, control and flexibility as to settings and features in respect of processing operations which pose greater levels of risk to child users and which can be disabled for a child user account;
• data minimisation - minimise the amount of data collected from children in the first instance and throughout their interaction with a service and/or minimise the subsequent use and sharing of the data; and
• sharing and visibility - do not systematically share a child's personal data with third parties without clear parental knowledge, awareness and control; build in parental reminders or notifications, where appropriate, in relation to subsequent sharing activity.

Bahar Toto Privacy Analyst
[email protected]

1. Available at: https://www.dataprotection.ie/sites/default/files/uploads/2021-12/Fundamentals%20for%20a%20Child-Oriented%20Approach%20to%20Data%20Processing_FINAL_EN.pdf