The enormous technological progress has contributed to the collection of personal data on an ever-increasing scale. This also applies to children’s personal data. Websites targeting children track them online using tracking cookies. The General Data Protection Regulation (GDPR) pays specific attention to the protection of children’s personal data.
Tracking cookies (also known as marketing cookies) are used to track the surfing behaviour of a website visitor. The data obtained is used to create a profile of the website visitor. This profile sketches an image of the interests of the website visitor.
Advertisers can classify website visitors according to socioeconomic, psychological, philosophical or other criteria and show them different advertisements based on these criteria. Search engines can offer visitors different search results based on such classifications. With a tracking cookie, for example, someone who has previously visited a webshop without buying anything is shown an advertisement on another website that is tailored to that previous webshop visit.
The cookie legislation therefore stipulates that cookies may only be placed and read if the website visitor has given consent to do so. In doing so, he must be clearly and fully informed, including the purpose for which the cookies are used. This Consent is usually requested and given via a cookie banner, which refers to the cookie statement.
The basic principle is that personal data is processed by means of tracking cookies. The GDPR applies to this, for example when it comes to informing about cookies. The cookie legislation also refers to the GDPR for the rules for requesting consent.
The GDPR emphasizes that children have a right to specific protection with respect to their personal data. Indeed, children are less aware of the risks and possible consequences of processing their personal data. This specific protection applies even more to the use of children’s personal data for marketing purposes or to the creation of personality or user profiles.
The GDPR therefore has a specific provision regarding children’s consent to the processing of their personal data. The premise is that personal data of children under the age of 16 may only be processed with the consent of the parents/carers.
However, EU countries have the option to set the limit for consent in the case of online processing at a lower age, as long as it is not less than 13 years of age. The Netherlands has not made use of this option. In the Netherlands there is an age limit of 16 years.
The GDPR age limit only applies to data processing by online services. For example through an app, online game, web store or social media. In the Netherlands, the rules for children’s consent also apply to services other than online services. For example, the processing of personal data in order to have a product ordered in the store delivered to your home.
Children and tracking cookies
In principle, the GDPR does not prohibit the use of tracking cookies on children. The European Data Protection Board (EDPB) emphasizes that children are a more vulnerable group of society.
Children are particularly vulnerable in the online environment and are more easily influenced by behavioural advertising. For example, in online gaming, profiling can be used to target players that the algorithm considers are more likely to spend money on the game as well as providing more personalised adverts. The age and maturity of the child may affect their ability to understand the motivation behind this type of marketing or the consequences.
Therefore, according to the EDPB, organizations should generally refrain from profiling children for marketing purposes. While child profiling, and therefore the use of tracking cookies, is not prohibited, it is important to assess on a case-by-case basis whether the privacy and rights of children can be safeguarded. This will be particularly important in the case of websites that focus exclusively or primarily on children.
Another tricky issue is that website owners must be able to demonstrate that the website visitor has given permission for their personal data to be processed using tracking cookies. Usually this can be demonstrated because the website visitor has to click or tick something. With children, however, this is not that simple. In that case, it must be demonstrated that the consent of the parents/carers has actually been obtained. Especially in the online context this is almost impossible to set up.
The website visitor must also be clearly informed about who places and reads cookies and who has access to and is responsible for the data thus obtained. It should also be made clear that tracking cookies are used to compile profiles, what type of information is collected to compile such profiles, that these profiles are used to offer targeted advertising and that the user’s surfing behaviour is tracked because the cookie on his device can be recognized on multiple websites. If the website is targeted at children, the information must be written in clear and simple language so that the child can easily understand it.
Do you have a website that focuses exclusively or primarily on children and do you use tracking cookies? Then it is important to set up your cookie banner and cookie statement as privacy friendly as possible. Because the data processing includes profiling and a vulnerable group of people (children), you are also obliged to perform a so-called data protection impact assessment (DPIA). This is an instrument to identify the privacy risks of data processing in advance. And then to be able to take measures to reduce or eliminate the risks. The Data Protection Authority may ask for the DPIA that you have carried out.