gdpr-parental-consent

GDPR Parental Consent Verification

Overview

Article 8 of the GDPR establishes that when information society services are offered directly to a child, the processing of personal data based on consent is lawful only where the child is at least 16 years old. Member States may lower this threshold to a minimum of 13 years. Where the child is below the applicable age threshold, consent must be given or authorised by the holder of parental responsibility. The controller must make reasonable efforts to verify that the person giving consent holds parental responsibility, taking into consideration available technology. This skill provides a comprehensive framework for implementing Art. 8 compliance, drawing on EDPB Guidelines 5/2020, national implementations, and enforcement precedents.

Legal Foundation — Article 8 GDPR

Art. 8(1) — Conditions for Child's Consent

Where Article 6(1)(a) (consent) applies in relation to the offer of information society services directly to a child, the processing shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, processing is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

Art. 8(2) — Verification Obligation

The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

Art. 8(3) — Other Lawful Bases Unaffected

Article 8(1) does not affect the general contract law of Member States such as rules on the validity, formation or effect of a contract in relation to a child.

Age Thresholds by EU/EEA Member State

Country	Age Threshold	National Legislation
Austria	14	Austrian Data Protection Act (DSG) Section 4(4)
Belgium	13	Act of 30 July 2018, Art. 7
Bulgaria	14	Personal Data Protection Act, Art. 25a
Croatia	16	Implementation Act on GDPR, Art. 19
Cyprus	14	Law 125(I)/2018, Art. 8
Czech Republic	15	Act No. 110/2019 Sb., Section 7
Denmark	13	Danish Data Protection Act, Section 6(2)
Estonia	13	Personal Data Protection Act, Section 8
Finland	13	Data Protection Act 1050/2018, Section 5
France	15	Loi Informatique et Libertes, Art. 45
Germany	16	GDPR default — no lowering enacted
Greece	15	Law 4624/2019, Art. 21
Hungary	16	GDPR default — Act CXII of 2011 amended
Ireland	16	Data Protection Act 2018, Section 31
Italy	14	Legislative Decree 101/2018, Art. 2-quinquies
Latvia	13	Personal Data Processing Law, Art. 10
Lithuania	14	Law on Legal Protection of Personal Data, Art. 5
Luxembourg	16	Law of 1 August 2018, Art. 8
Malta	13	Data Protection Act Cap. 586, Art. 30
Netherlands	16	GDPR default — UAVG did not lower
Norway	13	Personal Data Act, Section 5
Poland	16	GDPR default — Act of 10 May 2018
Portugal	13	Law 58/2019, Art. 16
Romania	16	GDPR default — Law 190/2018
Slovakia	16	GDPR default — Act 18/2018
Slovenia	16	GDPR default — Personal Data Protection Act
Spain	14	Organic Law 3/2018, Art. 7
Sweden	13	Act 2018:218, Chapter 2, Section 4
UK (post-Brexit)	13	Data Protection Act 2018, Section 9; UK GDPR Art. 8

Determining When Article 8 Applies

Article 8 applies only when ALL of the following conditions are met:

1. Information society service: A service normally provided for remuneration, at a distance, by electronic means, and at the individual request of the recipient (Directive 2015/1535, Art. 1(1)(b)). Includes social media, gaming platforms, e-commerce, streaming, and educational apps. Does NOT include preventive or counselling services offered to a child.

2. Offered directly to a child: The service is targeted at children or the controller is aware that the user base includes children. Indicators include child-oriented design, content, marketing, or listed in app stores under children's categories.

3. Consent as lawful basis: Processing relies on Art. 6(1)(a) consent. If the controller relies on a different lawful basis (legitimate interest, contract performance, legal obligation), Art. 8 does not apply — although the best interests of the child remain relevant under Recital 38.

4. Child below applicable national threshold: The data subject is below the age threshold set by the applicable Member State.

Parental Verification Mechanisms

Tier 1 — High Assurance (Recommended for sensitive data or high-risk processing)

Method	Description	Strengths	Weaknesses
Electronic ID verification (eIDAS)	Parent authenticates using national eID	Legally binding, high certainty	Limited cross-border availability
Video call verification	Live video call with parent showing ID	Strong visual confirmation	Resource-intensive, not scalable
Credit card transaction	Small charge to parent's credit card with reversal	Financial identity verification	Excludes unbanked parents
Government ID upload	Parent uploads government-issued photo ID	Document-based verification	ID document fraud risk, data minimisation concern

Tier 2 — Medium Assurance (Suitable for standard processing)

Method	Description	Strengths	Weaknesses
Email-plus verification	Email to parent with knowledge-based confirmation	Reasonable effort at scale	Email can be accessed by child
SMS verification with callback	SMS code sent to parent's mobile number	Ties to physical device	Children may access parent's phone
Parental account linking	Parent creates own verified account and links to child	Ongoing oversight capability	Parent account creation friction
Digital signature	Parent signs consent form electronically	Legally valid, auditable	Requires parent digital literacy

Tier 3 — Basic Assurance (Minimum for low-risk processing)

Method	Description	Strengths	Weaknesses
Email verification	Verification email to parent-provided address	Low friction, scalable	Lowest assurance level
Checkbox declaration	Parent confirms status via checkbox	Minimal implementation cost	Easily circumvented

Selecting Verification Level — Risk-Based Approach

The appropriate verification level depends on:

• Nature of data collected: Special category data (Art. 9) requires Tier 1 verification
• Volume of data: Extensive profiling or monitoring of children requires Tier 1
• Purpose of processing: Marketing or behavioural advertising requires higher assurance than educational tools
• Risk to children: Services enabling direct messaging or social interaction with strangers require Tier 1
• Available technology: Controllers must consider technology available at the time of implementation per Art. 8(2)

Consent Record Requirements

Every parental consent must be documented with the following fields to satisfy Art. 7(1) demonstration obligation:

Field	Description	Example
consent_id	Unique identifier for the consent record	PC-2026-0001457
child_identifier	Pseudonymised child identifier	child_a3b7c9d2
child_age_at_consent	Age of child at time of consent	12
applicable_threshold	National age threshold applied	13 (Belgium)
parent_identifier	Pseudonymised parent identifier	parent_f4e8a1b6
verification_method	Method used to verify parental responsibility	credit_card_transaction
verification_outcome	Result of verification	verified
purposes	Specific processing purposes consented to	["account_creation", "content_personalization"]
data_categories	Categories of personal data covered	["name", "age", "usage_data"]
consent_text_version	SHA-256 hash of the consent text shown	a1b2c3d4...
timestamp	ISO 8601 timestamp of consent	2026-03-14T10:30:00Z
withdrawal_mechanism	How parent can withdraw consent	parental_dashboard
expiry_date	Consent review/expiry date	2027-03-14

BrightPath Learning Inc. — Implementation Example

BrightPath Learning Inc. operates an educational gaming platform targeting children aged 8-15 across the EU. The platform is available in France (threshold: 15), Germany (threshold: 16), Spain (threshold: 14), and Belgium (threshold: 13).

Implementation Steps

Step 1: Age Collection (Neutral Design)

• During account creation, the platform asks "What year were you born?" using a scrollable date selector (not a free-text field)
• The age prompt does not indicate why the question is asked or what the "correct" answer would be
• The platform calculates age based on the response and applies the threshold of the child's country of residence

Step 2: Threshold Routing

• Child in France aged 14 → Below threshold (15). Parental consent required.
• Child in Belgium aged 14 → Above threshold (13). Child can consent independently.
• Child in Germany aged 15 → Below threshold (16). Parental consent required.

Step 3: Parental Verification Flow

• Child enters parent's email address
• Platform sends verification email to parent with one-time link
• Parent clicks link, creates a parental oversight account
• Parent verifies identity via credit card micro-transaction (EUR 0.50 refunded within 48 hours)
• Parent reviews and approves specific processing purposes
• Parent receives confirmation with link to parental dashboard

Step 4: Ongoing Parental Oversight

• Parental dashboard displays all active consents with per-purpose granularity
• Parent can withdraw consent for any purpose at any time
• Platform sends annual consent renewal reminder
• When child reaches the applicable age threshold, the platform notifies both parent and child, and transitions consent authority to the child

Consent Record Example

{
  "consent_id": "PC-2026-0003891",
  "child_identifier": "child_bp_8f3a2d",
  "child_age_at_consent": 12,
  "applicable_threshold": 15,
  "applicable_country": "FR",
  "parent_identifier": "parent_bp_c7e4f1",
  "verification_method": "credit_card_micro_transaction",
  "verification_outcome": "verified",
  "verification_timestamp": "2026-03-14T14:22:00Z",
  "purposes": [
    {
      "purpose_id": "edu_content_delivery",
      "description": "Deliver educational gaming content appropriate to child's learning level",
      "consented": true
    },
    {
      "purpose_id": "progress_tracking",
      "description": "Track learning progress and generate reports for parent",
      "consented": true
    },
    {
      "purpose_id": "personalized_recommendations",
      "description": "Recommend games based on learning progress and preferences",
      "consented": false
    }
  ],
  "data_categories": ["name", "age", "learning_progress", "game_interactions"],
  "consent_text_version": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
  "timestamp": "2026-03-14T14:25:00Z",
  "withdrawal_mechanism": "parental_dashboard",
  "expiry_date": "2027-03-14",
  "controller": "BrightPath Learning Inc.",
  "controller_address": "200 Education Lane, Amsterdam, 1012 AB, Netherlands"
}

Enforcement Precedents

• TikTok (DPC Ireland, 2023): EUR 345 million fine for violations including failure to implement adequate parental consent mechanisms for children under 13, default public profiles for child accounts, and transparency failures under Articles 5(1)(a), 5(1)(c), 12, 13, 24, and 25.
• Instagram (DPC Ireland, 2022): EUR 405 million fine for allowing children aged 13-17 to operate business accounts with public-by-default settings, exposing children's contact information. Related to inadequate implementation of Art. 8 and Art. 25 obligations.
• Google/YouTube (FTC, 2019): USD 170 million settlement for collecting children's personal information (persistent identifiers) to serve targeted advertising without obtaining verifiable parental consent, violating COPPA.
• Fortnite/Epic Games (FTC, 2022): USD 275 million settlement for collecting personal information from children under 13 without parental notification or consent, and enabling real-time voice and text communications with strangers by default.
• CNIL France — TIKTOK (2022): EUR 5 million fine for making it difficult to refuse cookies on the platform, with aggravating consideration of the large number of child users.

Common Compliance Failures

1. Single age threshold for all EU operations: Controller applies one threshold (e.g., 16) across all Member States instead of the locally applicable threshold based on the child's country of residence
2. Self-declaration only: Relying solely on the child's statement of age without any verification mechanism
3. No parental verification: Collecting parent's email but not verifying that the email holder actually has parental responsibility
4. Consent bundling: Obtaining parental consent for all processing purposes in a single checkbox instead of granular per-purpose consent
5. No consent expiry: Failing to periodically refresh parental consent or transition authority when the child reaches the applicable threshold
6. Cookie walls for children: Denying access to the service unless all cookies (including analytics and advertising) are accepted

Integration Points

• Age Verification Methods: Art. 8(2) requires reasonable efforts to verify age before determining whether parental consent is needed
• Children's Privacy Notice: Art. 12 transparency obligation requires clear communication to both parent and child
• Children's Data Minimisation: Art. 5(1)(c) data minimisation is interpreted strictly when processing children's data per Recital 38
• UK AADC Implementation: The UK Age Appropriate Design Code supplements UK GDPR Art. 8 with 15 design standards
• COPPA Compliance: For services also targeting US children under 13, COPPA requirements run in parallel with GDPR Art. 8