At what age can children give consent themselves under the GDPR?

The GDPR sets the threshold at 16, but member states may lower it to a minimum of 13. In the Netherlands and Belgium, the threshold is 16. Below that age, parental or guardian consent is required.

Does this only apply to social media platforms?

No. Every organisation processing children's personal data must take extra care. This applies to schools, sports clubs, webshops selling products to children, apps for children, and any other service aimed at minors.

What does TikTok risk?

The class-action claim represents millions of children in the UK and the EU. The potential damages run into the billions. Additionally, multiple European supervisory authorities have already fined TikTok for similar violations.

12-Year-Old vs TikTok: Lawsuit Over Children's Data | GDPRWise

A 12-year-old British girl was granted permission to file a class-action lawsuit against TikTok for collecting children's data without consent. What does this mean for businesses working with children's data?

David vs. Goliath

A judge at the UK High Court granted a 12-year-old girl, who may proceed anonymously, permission to file a class-action lawsuit against TikTok. The claim: the social media platform collects children’s personal data on a massive scale without valid parental consent.

The case represents millions of children in the UK and the EU who have used TikTok. It is one of the largest privacy cases ever filed on behalf of minors.

What did TikTok do wrong?

The core of the complaint is that TikTok:

Collected children’s data without parental consent - children could create and use an account without any verification of parental consent
Collected more data than necessary - location data, device information, browsing behaviour, and biometric data (facial recognition in videos)
Shared data with third parties - advertisers and other parties gained access to children’s data
Provided insufficient transparency - the privacy terms were not understandable for children or their parents

Why this matters

This case is significant for several reasons:

Children receive extra protection

The GDPR considers children as vulnerable data subjects who deserve extra protection. Article 8 sets specific rules for processing children’s data, including the obligation to obtain parental consent.

Class actions are becoming more common

Until recently, privacy lawsuits were mainly between individuals and companies. Class actions make it possible to act on behalf of large groups of data subjects, enormously increasing the financial risks for violators.

Supervisory authorities are watching

Besides this lawsuit, multiple European supervisory authorities have taken action against TikTok. The Irish DPC imposed a fine of EUR 345 million, and the Italian authority temporarily blocked the processing of Italian users’ data.

The lesson for businesses

You do not need to be a tech giant to deal with this issue. If your business offers services to children or processes minors’ data, stricter rules apply:

Age verification - check whether users are old enough to give consent themselves
Parental consent - for children under 16 (in NL and BE), you need consent from a parent or guardian
Understandable information - your privacy notice must be understandable for the target audience
Minimal data collection - do not collect more than strictly necessary, especially with children
No profiling - profiling children for marketing purposes is not permitted in most cases

Think of: sports clubs with youth members, schools with student data, webshops with products for children, apps used by minors, and events where children participate.

auto_awesome Processing children's data correctly?

GDPRWise helps you document all processing activities, including the extra requirements for minors' data.

Start your free scan

12-Year-Old Girl Takes on Tech Giant TikTok Over Children's Data