PRIV- 6 Parental Consent

What is this control about?

Implementing the control ‘Parental Consent’ is important because it ensures that organizations handle the personal data of children in a responsible and lawful manner. Children are a vulnerable group, and data privacy regulations recognize the need for extra protection when processing their personal information. Obtaining parental consent before collecting, using, or disclosing a child’s personal data helps to safeguard their privacy and protect them from potential harm.

Available tools in the marketplace

Tools:

Agechecker Tokenoftrust  Veratad Jotform

Available templates

N/A

Control implementation

Here are some guidelines to implement a mechanism to verify age and get parental consent:

• Understand Applicable Regulations: Start by understanding the relevant data protection regulations and laws that apply to the organization, especially those related to the collection and processing of personal data of minors. Familiarize yourself with the age threshold that requires parental consent for data processing.
• Identify Data Collection Points: Conduct a thorough audit of all the systems, applications, and platforms used by the organization that may collect personal data from users, including minors. Identify the specific data collection points that require parental consent.
• Update Privacy Policies and Notices: Review and update the organization’s privacy policies and notices to include clear and accessible information about the collection and processing of personal data from minors. Include details about the need for parental consent and provide instructions on how parents or guardians can provide consent.
• Implement Parental Consent Mechanisms: Implement appropriate mechanisms to obtain parental consent before collecting personal data from minors. Depending on the organization’s operations and target audience, this could include age verification tools, email or phone verification, or online consent forms for parents or guardians to complete.
• Verification of Consent: Ensure that the parental consent received is genuine and verified. Establish procedures to validate the authenticity of the consent provided, as it is essential to prevent unauthorized access to minors’ personal data.
• User Account Verification: If the organization allows user accounts for minors, establish a process to verify the age of the user during the registration process. This may include additional identity verification steps or using a trusted third-party verification service.
• Secure Data Storage and Processing: Implement robust security measures to protect the personal data of minors. Use encryption, access controls, and other security tools to safeguard the data from unauthorized access, loss, or breach.
• Documentation and Records: Maintain detailed documentation of all parental consents received, the verification process, and any incidents related to the collection and processing of personal data from minors. Keep records of ongoing compliance efforts.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Privacy Policies and Notices around parental consent
2. Consent Mechanisms configuration
3. Example of a recorded parental consent

Evidence example

For the suggested action, an example is provided below:

• Parental consent Notice form

• Consent Mechanisms configuration

Screenshot screen

• Example of a recorded parental consent

This will be the completed consent form