Tremendous technological advances have contributed to the collection of personal data on an ever-increasing scale. That includes children's personal data. Websites aimed at children follow them online through tracking cookies. The General Data Protection Regulation (AVG) pays specific attention to the protection of children's personal data.
Tracking cookies (also called marketing cookies) are used to track a website visitor's browsing behavior. The data thus obtained are used to compile a profile of the website visitor. This provides a picture of the website visitor's interests.
Advertisers can then classify Web site visitors according to socioeconomic, psychological, philosophical or other criteria and show them different ads based on those criteria. Search engines can offer visitors different search results based on such classifications. With a tracking cookie, for example, someone who has previously visited an online store without buying anything there is shown an advertisement on another website that is tailored to that previous online store visit.
The cookie law therefore stipulates that cookies may only be placed and read if the website visitor has given permission. In doing so, he must be clearly and fully informed, including the purpose for which the cookies are used. Such consent is usually requested and given via a cookie banner, referring to the cookie statement.
The starting point is that personal data are processed by tracking cookies. This is subject to the AVG, for example when it comes to informing about cookies. The cookie law also refers to the AVG for the rules for asking permission.
The AVG emphasizes that children are entitled to specific protection with respect to their personal data. Indeed, children are less aware of the risks and possible consequences of processing their personal data. This specific protection applies even more to the use of children's personal data for marketing purposes or for the creation of personality or user profiles and the collection of personal data about children when using services provided directly to children.
The AVG therefore has a specific provision dealing with children's consent to the processing of their personal data. The basic principle is that personal data of children, under the age of 16, may only be processed with the consent of the parents/caregivers.
However, EU countries have the option of setting the limit for consent for online processing at a lower age, provided it is not below 13. The Netherlands has not used this option. Thus, the age limit in the Netherlands is 16.
The age limit from AVG applies only to data processing by online services. For example, through an app, online game, web store or through social media. In the Netherlands, the rules for children's consent also apply to services other than online services. Think of the processing of personal data to have a product ordered in a store delivered to your home.
In principle, the AVG does not prohibit the use of tracking cookies on children. In doing so, the European Data Protection Board (EDPB) emphasizes that children are a more vulnerable group of society.
Children are particularly vulnerable in the online environment and are easier to influence with surfing behavior-targeted advertising. For example, in online games, profiling can be used to target advertising to players who, according to the algorithm, are more likely to spend money on the game and show more personalized advertising. Because of their age and immaturity, children may not fully understand the reasons for this type of marketing and the impact it may have on them.
Therefore, according to the EDPB, organizations should generally refrain from profiling children for marketing purposes. While profiling of children, and thus use of tracking cookies, is not prohibited, it is important to assess on a case-by-case basis whether children's privacy and rights can continue to be guaranteed. This will be particularly important with websites that target children exclusively or primarily.
Another tricky issue is that website owners must be able to prove that the website visitor has given permission for their personal data to be processed through tracking cookies. Usually this can be demonstrated because the website visitor has to click on something or check a box. With children, however, this is not so simple. Namely, it must then be demonstrated that the consent of the parents/caregivers was actually obtained. Especially in the online context, this is almost impossible to set up.
Furthermore, the website visitor must be clearly informed about who places and reads cookies and who gets access to and is responsible for the data thus obtained. It should also be made clear that tracking cookies are used to create profiles, what type of information is collected to create such profiles, that these profiles are used to offer targeted advertising, and that the user's surfing behavior is tracked because the user can be recognized on multiple websites by the cookie on his computer. If the website is aimed at children, the information should be in clear and simple language so that the child can easily understand it.
Do you have a website with which you exclusively or primarily target children and do you use tracking cookies? Then it is important to design your cookie banner and cookie statement as privacy-friendly as possible. Moreover, because it involves profiling and a vulnerable group of data subjects (children), you are obliged to carry out a so-called data protection impact assessment (DPIA). This is a tool to identify the privacy risks of a data processing operation in advance. And to then be able to take measures to reduce the risks. The Personal Data Authority may ask about the DPIA you have conducted.
More articles by SOLV Lawyers
