Andrew Chin/Getty Images

It's clogged up your inbox with pleading emails, but another unintended consequence of GDPR could be bad news for teenagers.

The European data laws coming into effect this week will introduce new rules around kids and online services, in some cases requiring children under 16 to get parental consent before using apps that ask for personal data.


The idea behind the age limit is to give additional protection to young people when it comes to their personal data, but some app developers and experts argue that it could have the unintended consequence of preventing teens from accessing educational information and taking part in digital society – not to mention that no one really knows how to make age verification work, anyway.

Ida Tin, founder and CEO of period-tracking app Clue, says she is concerned that the requirement for under-16s to get parental consent will prevent young women from benefiting from the app’s services, especially if they may be embarrassed to ask their parents for consent. “You can imagine being a young woman getting your first period maybe at age 13, 14, or even younger, and then having to ask your parents to use this app to explain what’s going on in your body is a really hard thing to do,” she says. “I think for a lot of people that will basically mean that they won’t get access to the educational information that someone like Clue provides.”

Read next London’s rental market is being flooded by bargain Airbnb listings London’s rental market is being flooded by bargain Airbnb listings

The new rules around age limits and parental consent are part of the EU’s General Data Protection Regulation (GDPR). The rules lay out the ways in which companies can collect and process personal information. One of the things GDPR covers is the circumstances under which a company can legally process someone’s personal data. One such circumstance is if the company has consent from the subject of the data.

However, the regulations acknowledge that children may not be able to give consent for their data to be processed as they cannot be expected to understand the risks and consequences. Therefore, they state that “where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child”. Essentially: if you’re under 16, your parent or guardian has to give consent for the company to use your data.


Not all European countries have the same age limit of 16 – GDPR leaves some wiggle room to lower that threshold to as low as 13 (which has been the general standard across the US and Europe until now – hence social media platforms like Facebook requiring users to be at least that old). The UK and Ireland have opted to keep the age of consent at 13, while countries including France, the Netherlands and Germany have moved to adopt the 16 limit.

In response, some apps have simply changed their age restrictions to say that users must be 16 to use them at all; last month, WhatsApp updated the minimum age of European users to 16 (though you still only have to be 13 to use it in the US). Facebook still allows 13-year-olds to sign up, though they will need parental consent to access some features such as personalised ads.

One obvious issue with the regulations is the difficulty of actually telling if a child is underage or not. GDPR does not specify how services should verify that their users are of age and/or have parental consent, save to say that they need to make “reasonable efforts” to do so. If a child says that they are over 16, it’s unclear how a company is supposed to check that – and it’s difficult to believe that all under-16s are suddenly going to leave WhatsApp just because of a change in T&Cs.

Read next What is GDPR? The summary guide to GDPR compliance in the UK What is GDPR? The summary guide to GDPR compliance in the UK

And to thoroughly verify that a child has parental consent, companies would presumably need to know the identity of both child and parent in order to establish that the consent is legitimate – a level of verification that goes well beyond most apps’ sign-up procedures.


Tin says that Clue will require users to verify their age and provide parental consent where relevant. Underage users who do not have parental consent will be able to browse the app but not sign up for an account. But she is realistic about the company's ability to verify age. “If there’s a 12-year-old who says that she’s 13, we cannot check that,” she says.

And for Clue, she says, this can have another unfortunate knock-on effect, as the company also collaborates with academics on research around women’s health, and people giving false information can skew their data. “Fundamentally we have to trust the data people give us, but it’s not a great solution to pretend we think everyone just suddenly turned 16,” she says. “That’s really sub-optimal.”

She also worries that the requirement to get parental consent will stop some teens from accessing information that could help them understand more about their health and changing bodies, for example if they are too scared to ask for permission to access a period-tracking app. “We see again and again that really young women need support – the education system is not giving them what they need,” she says. “My fear is that women will have less access to information and education.”

Tin wants to see regulators explicitly consider the issue of women’s health when making new rules. “I would argue that if you had to go ask your dad or your mum to ask them about using a fitness tracker, that’s really different to going and asking to use a period-tracking app – unfortunately,” she says.

Read next Who will really benefit from the EU's big data plan? Who will really benefit from the EU's big data plan?

GDPR isn't to blame for all those dumb emails you're getting Privacy GDPR isn't to blame for all those dumb emails you're getting

Sonia Livingstone, professor of social psychology at London School of Economics, says that GDPR is a positive step in that it recognises a need to protect young people when it comes to their personal data, but that it doesn’t take into account all of the issues involved, nor all of the potential unintended consequences.

While parents knowing more about what their kids are up to online could be a positive thing in many cases, she points out that it will inevitably result in some inequalities. “In nice, happy families, parents and children will welcome the parental consent requirement, because it means that everyone’s going to have to talk a lot more about what they’re using,” she says. “In unhappy, difficult, busy, fraught families, this is going to involve an unwarranted intrusion into the child’s privacy.”


Livingstone argues that the need for a parental requirement at all stems from online services historically failing to treat children fairly when it comes to data protection – for example, by having terms and conditions that are too complicated for a child (or indeed most adults) to understand. “GDPR is a solution to a problem that the industry has created,” she says.

Moving forward, she wants to see regulators consult parents and children on issues such as data protection and provide better education to the public. A lot of services could also minimise the data they collect and offer a graduated service based on how much people are willing or able to provide.

A more political suggestion, she says, could be to reconsider what kind of personal data we want to make available to private companies in the first place. “We have developed a society where a lot of things are left for commercial development,” she says. “Why doesn’t, for example, the NHS provide a neat, free period-tracking app, if that’s been useful for teens?”