Where we work
Bird & Bird Plus
Central and Eastern Europe
Russia and the CIS
Southeast Europe and Turkey
Switzerland and Austria
United Arab Emirates
Competition & EU Law
Digital Rights & Assets
Finance & Financial Regulation
International Dispute Resolution
International HR Services
Privacy and Data Protection
Public Projects and Procurement
Regulatory & Public Affairs
Regulatory and Administrative
Restructuring and Insolvency
Trade and Customs
Aviation & Aerospace
Defence & Security
Energy & Utilities
Life Sciences and Healthcare
Media, Entertainment and Sport
Retail and Consumer
Technology & Communications
News & events
Bird & Bird
General Data Protection Regulation
As regards child's consent in relation to information society services, Sec 4 (4) ADPA lowers the minimum age to 14 years.
Section 7 sets the age of consent for children in relation to offering of information society services at 15 years of age.
According to the Data Protection Act, the age limit for providing information society services on the basis of consent is 13 years.
Age limits of 13 and 15 years, were considered. Ultimately the decision was based on the comments received during the consultation phase and on the decisions made by other Nordic countries.
Article 7-1. If under 15, joint consent from the child and the holder of parental authority is required.
No specific provisions.
Under section 31 of the Act, the age at which a child may consent on their own behalf to processing in relation to information society services is 16 years of age. Within three years of the Act coming in to operation, the Minister for Justice and Equality must commence a review of the age of digital consent.
14 years old (Article 7 of the SDPA)
Article 8(1) of the GDPR states that where the offer of “information society services” is made directly to a child, and the legal basis for the processing of that child’s data is consent per Article 6(1)(a) of the GDPR, the processing will only be lawful where the child is at least 16 years old.
Article 8(1) further provides that:
• Where the child is below 16 years of age, the processing will only be lawful if consent is given or authorised by a person with parental responsibility over the child; and
• Member States may provide for a lower age of consent in the context of processing for information society services, provided that this is not lower than 13 years of age.
The Data Protection Act
Section 9 of the Act deals with child consent in relation to information society services. It provides that, in the UK, children of 13 years or age or older can give their consent to such processing. Children under the age of 13 will require the consent of a parent or guardian for the processing – provided that consent is relied upon as the legal basis.
Notably, section 9 makes clear that the reference to “information society services” does not include preventative or counselling services – that is, children under 13 years of age will be able to give their consent to processing for those services.
Section 123(1) of the Act states that the Information Commissioner must prepare a code of practice on standards of age-appropriate design of relevant information society services which are likely to be accessed by children.