Children’s Privacy in the Internet of Things – Part 2: How the GDPR boosts children’s privacy

Feb 16, 2017

The European General Data Protection Regulation (GDPR) has a direct impact to a number of actors involved in the IoT business that market and sell smart devices, systems, toys or other applications. The GDPR also gives a boost to children’s privacy as, unlike its predecessor, it contains a handful of provisions directly addressing children’s data privacy.

In the new regulation which will apply from May 2018 onwards, children are seen as vulnerable individuals who need special protection as the digitalization goes forward. The new provisions in Article 8 require that when online services are provided to a child under the age of 16 and consent is used as the basis for the lawful processing, consent must be given or authorized by the holder of parental responsibility over the child (Member States may also set a lower age-limit which however may not be under 13). Moreover, GDPR Article 12 provides that the information provided to the data subject should be concise and transparent using clear and plain language so that the child can easily understand it.

It means that according to the GDPR it will be impossible for the children under the age of 13-16 to give a valid consent on their own behalf to the processing of their personal data. The provision poses challenges to the IoT manufacturers that have or are about to bring smart devices on the market that may be used by a child. Thus, the actors in the IoT field need to implement parental consent mechanism while keeping in mind the fact that the age-limits won’t be united across the EU Member States. At the same time, it will be difficult for the children’s guardians to monitor childrens’ use of smart devices and give a proper consent when needed.

Despite the practical challenges, the new age-limitation provision together with the “Privacy by Design” and “Privacy by Default” principles increase children’s privacy significantly. In accordance with the principle of Privacy by Design organizations need to take the protection of personal data into consideration in each new service or business process that utilizes such data. At the same time the principle of Privacy by Default requires that the strictest privacy settings should be in use as a default setting when a customer acquires a new product or service. These new principles can be considered as the executive forces in increasing the children’s data privacy. It may be challenging for many to find the right ways to implement the GDPR principles in practice – and embedding privacy and data protection into product development.

The third and last part of our blog series will tell you what to take into account when buying a “smart” toy for a child. Read also the first part of the series.



Saara Koski, Privacy Specialist