Websites, data protection and children

28 Jun 2008
Alasdair Taylor

The first principle of data protection law is that personal data must be processed fairly and lawfully, and that one or more specified conditions must be met. Perhaps the most important of those conditions affecting the collection and use of personal data via websites is: “The data subject has given his consent to the processing”  (Data Protection Act 1998, Schedule 2, paragraph 2).  This raises the question of when a child can be taken to have consented to the processing of his or her personal data.

The DPA 1998 does not itself explicitly deal with the issue of obtaining consent from children.  However, the Information Commissioner has written: “Websites that collect information from children must have stronger safeguards in place to make sure any processing is fair. You should recognise that children generally have a lower level of understanding than adults, and so notices explaining the way you will use their information should be appropriate to their level, and should not exploit any lack of understanding. The language of the explanation should be clear and appropriate to the age group the website is aimed at. If you ask a child to provide personal information you need consent from a parent or guardian, unless it is reasonable to believe the child clearly understands what is involved and they are capable of making an informed decision”  (The Data Protection Good Practice Note: Collecting personal information using websites).

So, privacy policies should be extra-prominent and extra-clear.  A very young child may never be able to give adequate consent; whereas, an older child may be able to give adequate consent in many different circumstances. 

The Information Commissioner does go on to refer to a particular age threshold: “The Act does not state a precise age at which a child can act in their own right. It depends on the capacity of the child and how complicated the proposition being put to them is. As a general rule, we consider the standard adopted by Trust UK ( to be reasonable:  ‘TrustUK approved webtraders recognise children need to be treated differently from adults. They will not market their products in any way that exploits children, nor will they collect information from children under 12 without first obtaining the permission of a parent or guardian. They will not collect personal data about adults from children.‘”

There are particular pitfalls for the operators of social networking websites, other websites which publish user generated content, and websites that collect information that is passed on to third parties: “There are certain practices that are likely to breach the Act, for example, collecting information about other people from children, and enticing children to reveal information to win a prize or similar. If you are going to disclose or transfer personal information collected from children to third parties, you need to have the explicit and verifiable consent of the child’s parent or guardian, unless you can be sure that the child really appreciates what is going on and the consequences of their actions. If you want to publish a child’s personal information on the internet, you should usually get the verifiable consent of the child’s parent or guardian. Whether you need the parents’ or guardians’ consent for the publication, or that of the child, will depend on the circumstances, in particular, the child’s age and whether you can be sure the child fully understands the implications of making their information available on the internet.

An obvious question arises: how can parental consent be verified?  The Commissioner states: “If you need parental consent, you must have some way of verifying this. It will not usually be enough to ask children to confirm their parents have agreed by using a mouse click. If you need parental consent but decide that verifying the consent will involve disproportionate effort, you should not carry out your proposed activity.” There are a wide range of methods which may be used to verify parental consent, some of which are stronger than others.  For example, you might ask for a nominal credit card payment to be made before the child can access the relevant functionality, or you might telephone parents to verify consent.

Note: there are is a dedicated US law concerning the online collection of children’s personal data.  The Children’s Online Privacy Protection Act of 1998 (COPPA) applies to commercial websites that are directed at children under 13 or, even if not so directed, knowingly collect information from children under the age of 13.  The most far-reaching provision of COPPA requires that such websites must, before collecting, using or disclosing personal information from a child, obtain verifiable consent from the child’s parent.  This is why many US-orientated websites prohibit children under 13 from registering and using the website.


Children should be properly taught on how to responsibly use the their computers as well as accessing the Internet so they will not commit the mistake of disclosing too much information. It is not like documents that you can shred when you do no want others to gain access to them. On the Internet, websites store all the data they get from you and we will never know how they will make use of them.

Is it ok for a child’s information to be stored on a web server if entered by the parent? Does it have to be on a secure connection (HTTPS)? etc

Was there ever an answer posted to this question please:-

Is it ok for a child’s information to be stored on a web server if entered by the parent? Does it have to be on a secure connection (HTTPS)? etc

posted by Tom on Mon, 06/01/2014 – 14:53.

No, the post was not answered, mainly because it is difficult to give a useful answer without much more information: what information is being collected and stored? What will that information be used for? Who is doing the collecting and why? What security measures will be employed to protect the information?  What other policies and procedures will apply in relation to the information?

Even with all this information, the answer is unlikely to be very clear.

Add a new comment

Your email address will not be published.

SEQ Legal
Copyright © 2021 Docular Limited | All rights reserved