On June 9, 2021, the French Supervisory Authority (“CNIL”) published recommendations to help strengthen the protection of minors online (see here, in French).  These recommendations are the result of a survey and public consultation conducted by the CNIL in 2020, which focused on the digital practices of minors (see our blog post here).  The results of the CNIL’s survey and public consultation indicate that children are accessing the Internet at an early age on a “massive” scale.  In light of this reality, the CNIL underscores the importance of ensuring that minors benefit from the effective protection of their personal data when engaging online.

The CNIL addresses its recommendations to a diverse audience that includes online service providers (such as websites and app providers), as well as providers of age-verification systems.  Below, we summarize the CNIL’s eight recommendations aimed at enhancing the protection of minors online:

  1. Regulate the ability of minors to act online – Even though an individual below 18 years of age does not have legal capacity to conclude a contract under French civil law, the CNIL recommends that minors 15 years and older be allowed to conclude contracts for online services that involve the processing of their personal data (e.g., social media and online gaming sites) provided that: (i) the services are adapted to a young user base; (ii) the data processing strictly complies with the GDPR and French data protection law; and (iii) minors are informed in a clear and appropriate manner about the data processing, including their personal data rights.
  2. Encourage minors to exercise their rights – Even though parents are responsible for exercising personal data rights on behalf of their children under French law, the CNIL is of the opinion that minors should also be able to directly exercise these rights on social networks, gaming and video-sharing platforms.
  3. Support parents in digital education – The CNIL underscores the importance of providing parents with tools and other forms of support to help keep children safe online. The CNIL proposes to achieve this by, among other things, partnering with stakeholders and other governmental bodies (e.g., the French Ministry of Education).
  4. Seek the consent of a parent for minors under the age of 15 – The CNIL clarifies that, under French law, parental consent is sufficient if it is obtained from only one parent (rather than both) because the consent of the other parent is presumed, although the parent who did not give consent may still express opposition.
  5. Promote parental tools that respect the privacy and interests of the minor – The CNIL reminds service providers offering parental tools that they need to comply with data protection law, in particular with the principles of:
    • proportionality (e.g., by taking into account the minor’s age and maturity, and ensuring that the tool is not too intrusive on the minor’s private life);
    • transparency (e.g., by informing the minor about the tool); and
    • data security (e.g., restricting access to the minor’s data).

Parental tools should take into account the best interests of the minor and their private life.

  1. Adapt terms and disclosures and reinforce the rights of minors by design – The CNIL recommends that online service providers: (i) adapt the language of their privacy policies and user terms so that they are more easily understood by minors; (ii) provide simplified privacy settings and interfaces, and deactivate certain data collection features (such as geolocation) by default; and (iii) publish a list of commitments for the protection of minors’ data in a consolidated and understandable format.
  2. Verify the age of minors and obtain parental consent while respecting privacy – The CNIL highlights that age verification systems should not detract from a minor’s ability to browse the Internet freely without having to identify themself.  For this reason, the CNIL sets out the following six criteria that age-verification systems should comply with: (i) proportionality; (ii) data minimization; (iii) robustness; (iv) simplicity; (v) standardization; and (vi) involvement of a third party.  The CNIL’s recommendations further elaborate on these criteria and provide examples of mechanisms that can be used to verify a person’s age online.
  3. Provide specific safeguards to protect the interests of minors – The CNIL recommends that online service providers: (i) offer enhanced privacy settings by default; (ii) avoid profiling minors; and (iii) avoid reusing the personal data of minors and/or transmitting it to third parties for commercial or advertising purposes.

According to the CNIL, these recommendations revolve around three key themes, namely:

  • taking into account the need for autonomy of minors and their rights, while at the same time ensuring that they are safe when browsing the Internet;
  • reinforcing the fundamental support role of parents and educators in the digital environment, while respecting the privacy interests of the child; and
  • ensuring online service providers are aware of their increased responsibility towards minors when processing their personal data, including the obligation to respect minors’ rights.

The CNIL’s recommendations are part of a global trend towards increasing the safety of children online.  Among these various initiatives, the CNIL mentions in particular:

  • the UN’s recently released General Comment No. 25 (2021) on children’s rights in relation to the digital environment (see here);
  • the OECD’s Recommendation of the Council on Children in the Digital Environment (see here);
  • the International Telecommunications Unit’s 2020 Child Online Protection (COP) Guidelines on how to achieve a safe online environment that supports the empowerment of children and young people (see here);
  • the Council of Europe’s Guidelines to respect, protect and fulfil the rights of the child in the digital environment (see here); and
  • UNICEF’s 2017 study on children in an online world (see here).

The CNIL notes that the European Data Protection Board and European Network of Child Advocates have begun a collaboration in this area, and also refers to other recent children’s data initiatives launched by national supervisory authorities, such as the Age Appropriate Design Code published by the UK Information Commissioner’s Office (see our blog post here), and the draft Fundamentals for a Child-Oriented Approach to Data Processing released by the Irish Data Protection Commissioner (see our blog post here).

We are continuing to monitor this area closely and will keep our readers apprised of the latest updates.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.