With the increasingly great participation of underage datasubjects on the Internet, where they are directly becoming consumers, it has become quite a challenge to create legally and commercially viable strategies to request for consent and process minors’ data with a focus of minimizing risk. In light of this, at Vanegas Morales Consultores we have been studying strategies to help clients remain compliant with data protection laws without halting attractive projects. Below you will find some of our tips.
Before entering into the detail of this subject it is important to highlight that in Colombia, we have three main legal premises that apply to the processing of data of underage datasubjects: i) consent must be obtained before the start of the processing, or at the latest, simultaneously as Controller collects the data, and it must be free, express, informed and in general, granted by underage datasubject’s legal representatives; and, ii) there is a constitutional protection granted to minors that establishes that their rights and best interests must be protected and prioritized in any decisions or acts that may affect them.
Considering this, initially our General Data Protection Law (Art. 7 Law 1581 of 2012) established that the processing of underage datasubject’s personal information was forbidden, except for public data. However, our Constitutional Court established that understanding this as an absolute prohibition would entail an unnecessary restriction of datasubject’s fundamental rights such as the right to access health or educational services.
Therefore, the Court clarified that the processing of data of underage datasubjects was allowed as long as Controller observed the principles applicable to the processing of personal data, and the purposes pursued with the processing benefitted the minor and respected its prevalent rights. It also dictated that underage datasubject’s opinion on the processing of their data should be heard and taken into account proportionally to datasubject’s age and maturity. The latter position was later set forth by Art. 12 of Regulatory Decree 1377 of 2013.
The general rule, therefore, is that the processing of data of underage datasubjects is allowed when the processing complies with the mentioned requisites, but we still have an obstacle to consider, since underage datasubjects cannot validly provide their legal consent or accept to be bound by any legal premises until they become 18 years old.
Colombian Data Protection Authority has been very strict recently, requiring all Controllers that process personal data pertaining to underage datasubjects to implement strategies and physical or technological means to collect consent directly form minor’s legal representatives (which are often their parents), since in investigations conducted by that Authority, a general weakness and/or lack of mechanisms implemented by Controllers to comply with this requisite has been identified.
There is an exception involving minors ranging from 14 to 18 years old because they are considered “young adults” in our regulation. Therefore, according to our Constitutional Court, underage datasubjects that have at least 14 years old, may validly consent to receive information that benefits them such as information related to educational or sexual health services, since in those specific cases, involving minor’s parents could impede access by those datasubjects to essential services or the exercise of their fundamental rights.
This exception should be examined case by case and applied quite carefully, since we already stated that the general rule for our DPA is that Controllers must request for consent to be provided by minor’s legal representatives.
Our advice to clients that process data pertaining to underage data subjects is to establish strong commercial strategies and technological procedures that allow them to directly request for consent directly from minor’s legal representatives. Of course, we understand the challenge that this poses, taking into account how active minors are today, especially regarding services provided through internet or apps.
Therefore, in special cases where clients provide goods or services that directly benefit the minor such as educational and financial services, and they have clients ranging from 14 to 18 years old, our opinion is that initially they may opt for requesting consent directly from the “young adult” but only for the purposes of providing datasubject with information regarding their services, whenever datasubject requested such information.
When implementing this strategy, Controllers must be very careful to not use information to carry out non-essential purposes such as sending advertisement information using minor’s contact information. If Controller wishes to conduct purposes additional to strictly providing information and rendering services to the “young adult” we recommend requesting for legal representative’s consent and prefer the legal representative’s contact information to conduct such additional purposes.
In all other cases, such as when processing data of minors that are 13 years old or younger, our opinion is that Controllers must always opt for the general rule and request for legal representative’s consent. For this reason, we think that in compliance with the Principle of Accountability, it will always be a very good business strategy to invest on technological tools that allow to have traceability on the process of requesting for consent and mapping out processes that involve the processing of underage datasubject’s data.
Companies may also establish special channels to process parent’s complaints and special security measures to differentiate and adequately protect information pertaining to underage datasubjects. The key is to create strategies that creatively apply the law and facilitate processes for consumers and datasubjects.
For more information, please contact us at: svanegas@vanegasmorales.com.