children-deletion-requests

Managing Deletion Requests for Children's Data

Overview

Deletion of children's personal data operates under heightened obligations compared to adult data deletion. Under GDPR Article 17, the right to erasure applies with particular force when data was collected from a child — Article 17(1)(f) explicitly creates a right to erasure where personal data has been collected in relation to the offer of information society services to a child under Article 8(1). COPPA Section 312.6 requires operators to provide parents with the ability to review and delete personal information collected from their child. The UK AADC Standard 15 requires prominent and accessible tools to help children exercise their data protection rights. This skill provides a comprehensive framework for processing deletion requests involving children's data, including the complex questions of who can request deletion, verification procedures, scope determination, and third-party notification.

Legal Framework

GDPR Article 17(1)(f) — Right to Erasure for Children's Data

"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where [...] the personal data have been collected in relation to the offer of information society services directly to a child referred to in Article 8(1)."

This ground for erasure is distinct from the other Art. 17(1) grounds because:

• It does not require that the original lawful basis has been withdrawn (unlike Art. 17(1)(b) consent withdrawal)
• It does not require that the data is no longer necessary (unlike Art. 17(1)(a))
• It applies specifically because the data was collected from a child, regardless of whether the data subject is still a child at the time of the request
• The CJEU has confirmed in Case C-131/12 (Google Spain) that the right to erasure is especially important where the data was collected when the data subject was a minor

GDPR Article 17(2) — Third-Party Notification

"Where the controller has made the personal data public, the controller shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure [...] of any links to, or copy or replication of, those personal data."

GDPR Article 12(3) — Response Timeline

"The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request."

COPPA Section 312.6 — Parental Access and Deletion Rights

• 312.6(a): Operator must provide a parent, upon request, with a description of the specific types of personal information collected from the child, and the opportunity to refuse to permit the operator's further use or future online collection of personal information from that child, and to direct the operator to delete the personal information collected from that child
• 312.6(b): The operator must delete the child's personal information within a reasonable time after receiving the parental request

UK AADC Standard 15 — Online Tools

"Provide prominent and accessible tools to help children exercise their data protection rights and report concerns."

Who Can Request Deletion

Parental-Initiated Deletion

Applicable When: The child is below the age at which they can independently exercise data protection rights.

Jurisdiction	Age Below Which Parent Acts	Legal Basis
GDPR (default)	16 (or national threshold 13-16)	Art. 8(1) — parental consent grounds extend to parental exercise of rights
UK	13 (DPA 2018 Section 9)	ICO guidance: parent exercises rights for children who cannot understand the implications
US (COPPA)	13	16 CFR 312.6 — explicit parental right to direct deletion
France	15	Loi Informatique et Libertes Art. 45
Germany	16	GDPR default
Spain	14	Organic Law 3/2018 Art. 7

Verification Requirements:

• Verify that the requester is the parent or legal guardian of the child
• Verification methods (proportionate to risk): match against existing parental account, email verification to registered parent email, knowledge-based questions, government ID (for high-risk scenarios)
• Verify the identity of the child whose data is to be deleted (match against account records)

Child-Initiated Deletion

Applicable When: The child has reached sufficient maturity to understand and exercise their data protection rights independently.

Age of Capacity Assessment:

The capacity of a child to independently exercise data protection rights is not determined solely by the Art. 8 age threshold. The ICO has stated that a child who is competent to understand their rights may exercise them independently, regardless of the Art. 8 threshold. This is analogous to the Gillick competency principle in UK common law.

Scenario	Who Initiates	Capacity Assessment
Child aged 10 requests deletion	Parent must submit the request	Child below Art. 8 threshold in all jurisdictions; lacks capacity
Child aged 14 in Belgium (threshold 13) requests deletion	Child can submit independently	Above national threshold; presumed competent
Child aged 14 in Germany (threshold 16) requests deletion	Depends on maturity assessment	Below national threshold; controller may accept if child demonstrates understanding
Former child (now 18) requests deletion of childhood data	Former child submits independently	Adult; full capacity; Art. 17(1)(f) explicitly protects this scenario

Former Child (Adult) Requesting Deletion of Childhood Data

Art. 17(1)(f) does not require the data subject to still be a child at the time of the request. An adult may request deletion of personal data collected when they were a child. This is particularly relevant for:

• Social media posts from adolescence
• Educational records from childhood
• Health data from paediatric treatment
• Photos and videos uploaded by the child or their parents during childhood

The GDPR explicitly supports this by creating Art. 17(1)(f) as a standalone ground — the passage of time does not diminish the right.

Deletion Request Processing Workflow

Step 1: Receive and Log Request

Request received
│
├─ Channel: email / parental dashboard / in-app tool / postal mail
├─ Requester identity: parent / child / former child (adult)
├─ Child identifier: account ID / name / email
├─ Scope requested: full account deletion / specific data categories
├─ Timestamp: [logged automatically]
├─ Reference number assigned: DEL-CHILD-[YEAR]-[SEQ]
│
└─ Acknowledgement sent within 48 hours

Step 2: Verify Requester Identity and Authority

Requester	Verification Method	Escalation
Parent (existing account)	Match request email against registered parent email + security question	If match fails, request government ID
Parent (no existing account)	Request proof of parental relationship (birth certificate or equivalent) + matching identification	Manual review by DPO
Child (above threshold, existing account)	Match request against child's registered email + account security	If match fails, involve parent
Child (below threshold)	Redirect to parent; inform child their parent can submit the request	Provide parent contact mechanism
Former child (adult)	Standard identity verification (email + security question or ID)	Manual review if account is historical

Step 3: Determine Scope of Deletion

Scope Element	Default Inclusion	Exceptions
Account profile data (name, DOB, email)	YES	None
Activity/usage logs	YES	Anonymised aggregate retained for analytics
Content created by child (posts, projects, uploads)	YES	Offer download before deletion
Communication records (messages, chats)	YES	May retain if needed for ongoing safeguarding investigation
Parental consent records	RETAINED for 6 years	Legal compliance: statute of limitations for GDPR enforcement
Financial transaction records	RETAINED for applicable period	Legal compliance: tax and accounting obligations
Safety/moderation logs	RETAINED if active investigation	Safeguarding obligation override per Art. 17(3)(d)
Backup copies	YES (scheduled purge)	Deleted within backup rotation cycle (max 30 days)
Third-party copies	NOTIFIED for deletion	Art. 17(2) obligation to inform third-party controllers

Step 4: Execute Deletion

Timeline: Within one month of verified request (Art. 12(3)). Extension of up to two additional months permitted for complex requests, with notification to the requester within the initial one-month period.

Technical Deletion Process:

1. Primary database: Execute DELETE operations across all tables containing the child's personal data
2. Search indices: Remove the child's data from Elasticsearch, Solr, or equivalent search indices
3. Caches: Invalidate all cached entries containing the child's data (Redis, CDN, application cache)
4. File storage: Delete uploaded files (photos, documents, audio) from primary storage (S3, Azure Blob, GCS)
5. Analytics databases: Remove or anonymise records in analytics systems (BigQuery, Redshift, Snowflake)
6. Logs: Purge application logs containing the child's personal data (ELK stack, Splunk, CloudWatch)
7. Machine learning models: If the child's data was used to train ML models, assess whether the model must be retrained or whether the training data inclusion is irreversible (document the assessment)
8. Backups: Schedule deletion from backup systems within the next backup rotation cycle (max 30 days)
9. Third-party notification: Send deletion requests to all third parties that received the child's data per Art. 17(2)

Step 5: Confirm Deletion

{
  "deletion_reference": "DEL-CHILD-2026-0284",
  "child_identifier": "child_bp_8f3a2d",
  "requester": "parent_bp_c7e4f1",
  "requester_type": "parent",
  "request_date": "2026-02-15T09:00:00Z",
  "verification_date": "2026-02-16T11:30:00Z",
  "deletion_scope": {
    "account_data": "deleted",
    "activity_logs": "deleted",
    "content": "deleted (download offered, declined by parent)",
    "communications": "deleted",
    "consent_records": "retained (legal compliance, expiry 2032-02-16)",
    "backups": "scheduled_purge_2026-03-16"
  },
  "third_party_notifications": [
    {
      "recipient": "AWS (hosting provider)",
      "notification_date": "2026-02-17",
      "scope": "all stored objects for child account",
      "confirmation": "pending"
    }
  ],
  "deletion_completed_date": "2026-02-17T14:00:00Z",
  "backup_purge_date": "2026-03-16T02:00:00Z",
  "confirmation_sent_to_requester": "2026-02-17T14:30:00Z"
}

Step 6: Post-Deletion Verification

1. Attempt to retrieve the child's data from all systems listed in Step 4
2. Confirm that no personal data is returned from any system (except legally retained records)
3. Log the verification outcome
4. Schedule backup purge verification for 30 days after primary deletion

BrightPath Learning Inc. — Deletion Implementation

Deletion Channels

Channel	Description	Response Time
Parental dashboard	One-click "Delete Account" button with confirmation dialog	Immediate processing
In-app (child)	"Delete my stuff" button in privacy centre (for children above threshold)	Immediate processing
Email	privacy@brightpathlearning.eu	Acknowledgement within 48 hours
Postal	BrightPath Learning Inc., 200 Education Lane, Amsterdam, 1012 AB, Netherlands	Acknowledgement within 5 business days

Deletion Flow (Parental Dashboard)

Parent clicks "Delete Alex's Account"
│
├─ Confirmation dialog:
│  "This will permanently delete Alex's account and all their data,
│   including learning progress and any work they've saved.
│   This cannot be undone."
│  [Download Alex's data first]  [Delete everything]  [Cancel]
│
├─ If "Download first" selected:
│  ├─ Generate data export (JSON + PDF progress report)
│  ├─ Email download link to parent (valid for 7 days)
│  └─ Return to deletion confirmation
│
├─ If "Delete everything" selected:
│  ├─ Re-verify parent identity (password or security question)
│  ├─ Execute deletion across all systems
│  ├─ Send confirmation email to parent
│  └─ Display confirmation: "Alex's account and data have been deleted.
│      Backup copies will be removed within 30 days."
│
└─ If "Cancel" selected:
   └─ Return to dashboard (no action taken)

Handling Competing Interests

Scenario	Outcome	Rationale
Parent requests deletion; child wants to keep account	Parent's request takes priority for children below threshold	Parent holds consent authority under Art. 8
Child (16+) requests deletion; parent wants to retain	Child's request takes priority	Child above UK threshold; autonomous rights holder
School requests deletion of student data; parent wants to retain	Delete from BrightPath; inform parent they may retain their own copies	School's FERPA/contractual authority governs school-directed data
Safeguarding investigation active on the child's account	Retention of relevant data permitted under Art. 17(3)(d)	Vital interests / public interest in protection of the child
Child's data needed for ongoing legal claim	Retention permitted under Art. 17(3)(e)	Legal claims exception

Exception Grounds — When Deletion Can Be Refused

Art. 17(3) provides exceptions where the right to erasure does not apply:

Exception	Art. 17(3) Reference	Application to Children's Data
Freedom of expression	Art. 17(3)(a)	Rarely applies to children's data; would require compelling journalistic or artistic purpose
Legal obligation	Art. 17(3)(b)	Tax records of transactions; mandatory educational records under national law
Public health	Art. 17(3)(c)	Vaccination records; public health surveillance data
Archiving in public interest	Art. 17(3)(d)	Educational research (with ethical approval and anonymisation)
Legal claims	Art. 17(3)(e)	Data needed for establishment, exercise, or defence of legal claims

Important: Even where an exception applies, the controller should delete as much data as possible and retain only the minimum necessary to satisfy the exception.

Common Compliance Failures

1. No child-accessible deletion tool: Requiring children to navigate adult-oriented privacy settings or contact forms to exercise deletion rights
2. Parental deletion blocked by verification failure: Overly burdensome verification requirements that prevent parents from exercising deletion rights
3. Incomplete deletion scope: Deleting the account profile but retaining activity logs, analytics data, or cached copies
4. No backup deletion: Deleting from production systems but retaining data indefinitely in backups
5. No third-party notification: Failing to notify third parties that received the child's data per Art. 17(2)
6. Exceeding the one-month timeline: Processing deletion requests beyond the Art. 12(3) one-month deadline without notifying the requester of an extension
7. No deletion of historical data on adult request: Refusing to delete childhood data when the (now adult) data subject requests it, on the grounds that the data is "old" or "archived"

Enforcement Precedents

• Google (CJEU, C-131/12, Google Spain, 2014): Established the right to erasure including for data published during minority; the Court emphasised the importance of erasure for information that is "inadequate, irrelevant or no longer relevant, or excessive"
• TikTok (ICO, 2023): GBP 12.7 million fine included findings on failure to provide adequate mechanisms for parents and children to exercise rights including deletion
• Musical.ly/TikTok (FTC, 2019): USD 5.7 million settlement required TikTok to delete all information collected from children under 13 and provide a mechanism for parents to request deletion going forward
• Edmodo (FTC, 2023): USD 6 million penalty; order required Edmodo to delete children's personal information collected in violation of COPPA and establish a deletion program
• Google (CNIL France, 2022): EUR 150 million fine for making it difficult for users to refuse cookies; the CNIL noted the platform's large child user base as an aggravating factor, and the difficulty children would face in exercising opt-out rights

Integration Points

• Children's Data Minimisation: Data minimisation reduces the scope and complexity of deletion — less data collected means less data to delete
• COPPA Compliance: COPPA Section 312.6 provides explicit parental deletion rights that operate alongside GDPR Art. 17
• GDPR Parental Consent: The parent who gave consent under Art. 8 has the authority to request deletion by withdrawing consent under Art. 7(3)
• EdTech Privacy Assessment: School-directed EdTech must handle deletion requests from both parents and schools, with end-of-year deletion as standard
• UK AADC Implementation: AADC Standard 15 requires prominent, accessible deletion tools designed for children