GDPR : Article 8 - Conditions Applicable To Child’s Consent In Relation To Information Society Services

by Avinash V


The General Data Protection Regulation (GDPR), implemented on May 25, 2018, across the European Union (EU) and the European Economic Area (EEA), represents a pioneering data protection framework. Its significance is particularly evident in its meticulous approach to safeguarding children's personal data within the realm of information society services. Acknowledging the unique vulnerabilities of children and their limited awareness of data risks, the GDPR introduces specific provisions for obtaining a child's consent in this context.

Article 8 GDPR - Conditions Applicable To Child’s Consent In Relation To Information Society Services

Age of Consent

One of the key provisions of the GDPR is the establishment of a minimum age for children to provide their own consent for the processing of their personal data. Article 8 of the GDPR states that a child must be at least 16 years old to provide consent for the processing of their data in relation to information society services. However, EU member states have the discretion to lower this age to a minimum of 13 years, in line with the age set by many popular social media platforms.

Parental Consent

In cases where a child is below the minimum age for providing consent, Article 8 of the GDPR requires that the processing of the child's personal data is lawful only if the consent is given or authorized by the holder of parental responsibility over the child. This places an obligation on service providers to make reasonable efforts to verify that such consent has been obtained, taking into consideration available technology.

Child-Friendly Language

One of the fundamental principles of the GDPR is the requirement for clear and understandable information to be provided to data subjects about the processing of their personal data. When it comes to children, this requirement takes on added significance. Information society services must ensure that their privacy notices and consent forms are written in clear and plain language that is easily understandable by children.

GDPR Implementation Toolkit

Special Protection of Online Profiles and Data

Information society services often involve the creation of user profiles, which can contain a significant amount of personal data. The GDPR emphasizes the need for special protection of children's online profiles and data. Service providers must implement measures to ensure that children's profiles are set to the highest privacy settings by default and that the amount of personal data collected is minimized.

Data Protection Impact Assessments

Article 35 of the GDPR requires data controllers to conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risks to the rights and freedoms of data subjects. When it comes to processing children's data in the context of information society services, the threshold for conducting a DPIA is often lower. Service providers must be diligent in assessing potential risks and taking steps to mitigate them.

Education and Empowerment

The GDPR recognizes the importance of educating children about their rights and the risks associated with the processing of their personal data. Information society service providers are encouraged to develop age-appropriate educational materials and campaigns that empower children to make informed decisions about their online activities and the sharing of their personal information.

Data Breaches and Notifications

In the unfortunate event of a data breach involving children's personal data, the GDPR's provisions on data breach notifications apply. Data controllers are required to notify the relevant supervisory authority and, in certain cases, the affected data subjects. The notification must be made without undue delay and must include information about the nature of the breach, the likely consequences, and the measures taken to address the breach.


The GDPR's conditions applicable to a child's consent in relation to information society services are a critical component of ensuring the protection of children's personal data in the digital age. By setting age limits for consent, requiring parental involvement, promoting clear communication, and emphasizing the importance of education, the GDPR aims to strike a balance between allowing children to benefit from online services and safeguarding their privacy and rights. As technology continues to evolve, it is crucial for information society service providers to remain vigilant and proactive in upholding these principles and ensuring a safe online environment for children.

GDPR Implementation Toolkit