Recommendation 1: Regulate the capacity of children to act online
Children represent one of the largest user groups of social networks. By creating an account and ticking a box to agree to the terms and conditions, they are in fact entering into a contract. This shows that the law is somewhat out of sync with user practice.
We don´t know what we´re agreeing to.
63 %
of under-13s have at least one social network account
Instagram attracts 58% of 11-14 year olds and 89% of 15-18 year olds
Snapchat is popular among 75% of 11-14 year olds and 88% of 15-18 year olds
YouTube is visited by 78% of 11-14 year olds and 75% of 15-18 year olds
The number of 11-18 year olds using TikTok rose from about 30% in 2020 to almost 50% in 2021, and its use has more than doubled among 15-18 year olds
(Source - in French: Génération numérique survey "Digital practices of young people aged 11 to 18", March 2021)
What the law says
The GDPR and the French Data Protection Act allow children over the age of 15 to give their own consent for certain types of the processing that require non-contractual "consent". A child over 15 can therefore legally decide by him or herself to accept cookies when visiting a website, set his or her social network profile to public or private or activate an optional geolocation feature on an app. On the other hand, at the age of 15 the law does not yet recognise "general digital adulthood". The GDPR does not therefore establish a child's capacity to sign up to a social network by him or herself. In principle, the ordinary law of minority still applies, and children are subject to parental authority, depending on the context and as explained by case law.
Furthermore, the GDPR states that national contract law is also still applicable, especially when it comes to the validity of a contractual undertaking or its impact on a child. However, under French law, children are in principle considered legally incapable of entering into a contract.
Children are therefore considered both incapable of signing up to a social network (insofar as this involves a contract), but at the same time capable of granting or withholding consent to some of the more sensitive additional features such as geolocation and the use of cookies.
However, in some situations a child entering into a contract could be considered a "routine act" under French law, meaning a simple action that the child can perform alone and that poses no risk to the child. Ultimately, it is up to the courts to assess whether a given act falls under this category based on its monetary value, the habits of the child and his or her family, and the risks involved, but above all whether the act is in the child's best interests.
The CNIL carried out an in-depth analysis of applicable national law (contract law, rules on the incapacity of children), with expert contributions from law professors and the Ministry of Justice. It found that in certain circumstances, children over 15 should be able, in general and without prejudice to the discretionary ability of the courts to decide otherwise, to conclude certain contracts by themselves when it comes to signing up to online services.
Help and Guidance from the CNIL
The CNIL realises that the use of digital technologies among children is large-scale and largely autonomous. It also notes that the GDPR has established a form of regulated recognition of this autonomy by granting children, from a certain age, the ability to consent to certain types of processing of their own data in the context of online services.
Therefore, subject to the discretionary assessment of the courts, the CNIL believes it would be consistent for children, depending on their level of maturity and in any event above the age of 15, to be considered capable of entering into contracts that involve the processing of their data for the purposes of online services, such as signing up to a social network or an online gaming site, if and only if:
- the services are suitable for a child audience;
- the processing strictly complies with data protection rules as set out in the GDPR and the French Data Protection Act (e.g. minimisation of data collected, for a clearly-stated purpose, for a limited period of time and in a secure manner);
- the child is given clear and appropriate information about how his or her data will be used and of his or her data protection and privacy rights, to ensure the child understands the meaning and scope of the commitment being made;
- parents have the legal right to request deletion of their child's account if they consider it necessary to protect their child's best interests.
This is neither a free pass for children nor a blank cheque for online service providers to enter into contracts with children in the same way as they do with adults. On the other hand, it has the advantage of not being blind to the reality of digital practices among young people, while underlining the importance of the protective framework that must be put in place to support their autonomy.
The CNIL will be paying close attention to all decisions handed down by the courts in this area.
Discover the 8 recommendations from the CNIL
1 - Regulate the capacity of children to act online
2 - Encourage children to exercise their rights
3 - Support parents with digital education
4 - Seek parental consent for children under 15
5 - Promote parental controls that respect the child's privacy and best interests
6 - Strengthen the information and rights of children by design
7 - Check the age of the child and parental consent while respecting the child's privacy
8 - Provide specific safeguards to protect the interests of the child