Article 8 defines the conditions for children’s consent in relation to information society services. It limits the age for when a child can consent on their own and puts special duties on controllers to verify the consent.
This article is working as a complement to Article 6(1)(a) regarding the situation when a controller use consent in order to process the personal data of children. Children need more protection. This is because they generally are less aware of the risks by consenting to the processing of their data. Article 8 states extra demands on how a controller can collect consent from children.
The Article is applicable to situations when consent is used for the processing which enables the offer of information society services directly to children. Information society services are defined as “any service normally provided for remuneration, by electronic means and at the individual request of a recipient of services.”
The article states that when the child is below 16 years old, processing of their data will only be lawful if the consent is given or authorised by the holder of parental responsibility. The controller is also responsible to make reasonable efforts to verify that the individual who says they have the parental responsibility actually is the parent or guardian of the child.
It is also important to notice that the article also mentions that each member state can choose for themself which age limit they think are appropriate for a data subject to be able to consent to the processing of their data. However, it may not be below 13 years.