Minors’ consent regarding privacy: The AEPD publishes an age verification system
In terms of minors’ consent regarding privacy, the General Data Protection Regulation (GDPR), unlike its predecessor, Directive 95/46/EC, establishes a modest regulation regarding the consent given by minors. According to this, consent from minors is considered lawful from the age of sixteen in general across all European Union Member States.
However, individual states can internally lower this age to no less than thirteen (Article 8, GDPR). In Spain, the legislator has chosen to set the minimum age limit at 14 years (Article 7.1, of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights or “LOPDGDD”). Otherwise, consent from the parent or guardian is required for the processing of personal data under Article 6.1.a) of the GDPR to be valid.
Given these circumstances, it is reasonable to question the level of diligence expected from the data controller when determining the validity of a minor’s consent, especially concerning electronically communicated information.
Should digital platforms control the age of their users?
In accordance with Article 1903 of the Spanish Civil Code, in relation to minors’ consent regarding privacy, parents or guardians are responsible for damages caused by administrative infractions or crimes committed by their minor children. The Spanish Data Protection Agency (AEPD), in its recent guide “More Than a Mobile,” states that they will be jointly responsible for data protection infractions imposed on their minor children over the age of fourteen.
Despite this, the legislator believes that the operator of an online platform must exercise a certain level of diligence to effectively ensure that users meet the legally established requirements for accessing the platform’s services. This is reflected in Article 13.4 of the Spanish Regulation developing the Data Protection regime (RLOPD).
The GDPR also imposes on the data controller the obligation to make “reasonable efforts,” considering available technology, to verify that consent was given by the parent or guardian in cases involving minors without sufficient legal capacity (Article 8.2, GDPR). The AEPD and the European Data Protection Supervisor (SEPD) interpret this provision as applicable to verifying the validity of consent from minors by determining their legal capacity to consent.
Age verification mechanisms: how to demonstrate “reasonable efforts”?
Online age verification on the internet has traditionally been a complex issue, primarily associated with two conflicts: determining what information to request and how to request it.
Regarding the first issue, requiring the default communication of certain personal information for the data controller to certify the validity of the given consent raises privacy issues, as knowledge of an individual’s identity can be associated with their online activity.
For example, the French Data Protection Authority (CNIL) has emphasized that requesting users’ identity documents or estimating age based on user browsing history cannot be considered acceptable methods for age verification on online adult sites. Furthermore, the more personal information the data controller collects, the more severe the consequences in the event of a security breach.
In this regard, the CEPD has stated that the chosen mechanism for age verification should involve a prior analysis of the risk and potential harm posed by minors accessing the services offered on the platform, along with an assessment of the proposed processing.
Regarding how to collect the necessary personal information, reference can be made to the proposal for a European Digital Identity Framework, which seems to simplify this issue by allowing minors to use a digital identity card to prove their age without revealing other personal data.
The AEPD’s new age verification system as a solution to this issue
While awaiting a solution that brings clarity and uniformity to this issue throughout the European space, national authorities responsible for data protection have independently proposed solutions to this problem.
Among these proposals, the AEPD presented a new age verification system on December 14, 2023, consisting of:
- A decalogue outlining the 10 principles that any system protecting minors from inappropriate content must fulfil.
- A technical document detailing the project.
- Three practical videos demonstrating how the system works on different devices.
- A chart outlining the risks of the most popular age verification systems today.
The objective of this new system is not for content providers or third parties to know that the person accessing certain content is a minor but to ensure that the person accessing adult content can do so while maintaining anonymity and minimizing data processed or disclosed to third parties.
In this context, regarding online age verifcation of minors, the decalogue developed in the context of this new system establishes the minimum conditions that must be met to establish suitable systems that generate trust and protect the best interests of minors and fundamental rights. To demonstrate that these conditions are realistic and can be implemented in practice, the AEPD has published a series of proof-of-concept examples.
In this regard, the AEPD has called on all content providers obligated to verify the age of their users to implement an age control method that complies with all the conditions outlined in the decalogue, drawing inspiration from other materials made available to the public by the AEPD.
Despite the above, it is expected that more initiatives will be undertaken to further develop the content of the system developed by the AEPD in the coming months, as the CNMC and the FNMT expressed their support for the AEPD’s initiative shortly after its publication and their willingness to collaborate in the future in this area to promote the protection of minors online.
At Letslaw, our team of Data Protection lawyers will help you and advise you with anything that you may need. Do not hesitate to contact us.