Products that are connected to the Internet have become an integral part of our society. Not only products for adults, such as connected cars, but also for children more and more products are being developed that are "connected" - where there is interaction between user, product and the online world. Examples include a talking Barbie doll, an advanced children's smartwatch and a toy tractor that can be controlled with an app or bluetooth.
For toy manufacturers, connected toys offer a wealth of opportunities. They get to know their user base better and can monitor how their products are being used. Connected toys also provide insight into areas for improvement of the products and how additional products or services can be offered. For young users, connected toys do not only provide benefits. There are several dangers associated with such connected products, but children and their parents are often insufficiently aware of the risks.
Personal data are processed when using connected toys. When these toys are offered in the EU, they are subject to the General Data Protection Regulation (AVG). The AVG provides additional safeguards when children's personal data is at stake.
Because of the vulnerability of the young target group, the AVG includes specific provisions on the processing of children's personal data. Member States may adopt additional rules within the framework of the AVG to better protect the rights of data subjects. This is a change from the AVG's predecessor, the Privacy Directive: it contained nothing specific about children. It was up to the member states themselves to regulate this in their local laws - or fail to do so. Following are some of the important rules for children from the AVG.
In order to process children's personal data, a legal basis must be present. One such basis is consent. For "information society services," children 16 and older may give their own consent. For the processing of personal data of children under 16, a parent or legal representative must give consent, otherwise the consent is not valid.
Member states themselves may lower the age to a maximum of 13. There are therefore differences between the various member states: France, for example, uses an age of 15, Cyprus 14, and in Belgium, Denmark and Sweden the age is 13. The Netherlands does maintain the age of 16.
When a controller (i.e., a toy manufacturer, for example) seeks consent from a child, it must make an effort to verify that the parent/guardian has given consent on behalf of the child.
There is a similar rule in the United States. Its violation has led to a large settlement. The popular app TikTok, which many children use, recently had to pay $5.7 million to the U.S. Federal Trade Commission for collecting personal data from children under 13 without verifiable parental consent. An app like TikTok is pre-eminently an "information society service" and directly solicited consent from children.
According to the AVG, a data subject must be informed in a clear manner when personal data are processed. This means that a data subject must understand whatpermission is being asked for or what will happen with the personal data. The AVG pays extra attention to this for children: if the information is intended for them, it must also be clear to them. When drafting a Privacy Statement, the language and structure must therefore take into account the target group. Children must also be able to understand it.
A young user may not give as informed consent as an adult, who is more aware of the risks. Therefore, the AVG provides the possibility of being forgotten, especially when consent was given when the individual was a child.
This article can also be found in the Youth & Education and AVG dosier
More from SOLV Lawyers
