The text that was agreed last night reads as follows
Article 8
Conditions applicable to child’s consent in relation to information society services
- ….. in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 16 years, or if provided for by Member State law a lower age which shall not be below 13 years, shall only be lawful if and to the extent that such consent is given or authorised by the holder of parental responsibility over the child.
1a. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
UK law will be changed
The above means UK law will be changed because our (vague) rules suggest 12 is our baseline although theoretically the company was supposed to undertake an individual, subjective assessment of each child to satisfy themselves that they understood the nature of the transaction being put to them.
And age verification?
What are we to make of the second part of the text? This may turn out to be a grand irrelevance. If companies simply change their qualifying age to 16 then, as now, they will have no need to seek or obtain parental consent. The scale of misrepresentation of a young person’s age will increase and young people’s respect for the idea of rules will be diminished and undermined, only on a larger scale.
Desiderata 