Responsible advertising to children (during Christmas time and beyond) in the EU

Children are at the heart of Christmas. Many businesses operate in the online world and target their products and services to children, trying to persuade them that they can make their Christmas dreams come true!

What are the rules about targeting to children for marketing purposes?

When it comes to privacy and data protection, children have the same rights as adults. However, in practice the rules might not be the same. For instance, a child might need their parents or tutors to exercise data protection rights on their behalf in case, according to the applicable local law, the child is not competent to do so. This is not the only difference though.

In May 2022 the European Commission published the new European strategy for a Better Internet for Kids (“BIK+”), updating the previous one (“BIK”), published in 2012. Among other topics, BIK+ addresses children as “active digital consumers” being targeted by (or at least exposed to) a wide range of online marketing techniques mostly designed for adults. Some of the most critical practises include social media recommendation systems driven by algorithms, influencer marketing and gamification of marketing.

The EU Commission has warned that the impact on children of new marketing technologies is not known and research is needed. The biggest risks seem to derive from the fact that children might lack the digital skills and competencies to understand when their personal data is collected and further processed, why this matters, and how to be “informed contributors in shaping the world around them”.

In November 2022 the Regulation (EU) 2022/2065 (“Digital Services Act” or “DSA”) entered into force. The DSA includes a prohibition for providers of online platforms to advertise based on profiling when they are “aware with reasonable certainty” that the data subject who uses the service is a child (Recital 71 DSA).

Profiling consists of the evaluation of personal aspects (for instance preferences and interests) revealed through behaviours (such as a child’s browsing activity) concerning the data subject (in our case, the child). This activity can be easily carried out without the knowledge of the child or of their parents or tutors.

According to the DSA the prohibition to advertise to children based on profiling shall be read in accordance with the principle of data minimisation provided for in Article 5(1)(c) GDPR, meaning that the provider shall only process the personal data that they already have in order to assess if the recipient of the service is a minor.

According to the EU Commission this obligation “should not incentivize providers of online platforms to collect the age of the recipient of the service prior to their use”. This provision seems to suggest that the level of protection for children should not be made dependent solely on the age of the child, but should rather focus on other criteria.

Further guidance is provided through “Five key principles of fairness” by a group of volunteers from national consumer and data protection authorities, with the support of the European Data Protection Board (EDPB) and endorsed by the Consumer Protection Cooperation Network (CPC).

The five key principles can be summarised as follows:

  • Take into account specific vulnerabilities of children (e.g., inexperience, credulity, …) when designing advertising or marketing techniques that are likely to be seen by children;
  • Do not exploit children’s particular vulnerability;
  • Disclose the marketing purpose of marketing content in a manner that is clear for children (when the content is likely to be seen by children);
  • Do not prompt children to purchase in-app or in-game content;
  • Do not profile children for advertising purposes.

The ultimate objective for service providers should be to avoid certain practices which can be harmful for children and better inform data subjects about when and how providers use consumers’ data for advertising purposes.

The focus is again on the marketing strategy and the advertising means employed, rather than the age of the marketing message recipient.

This approach seems in line with the ICO Age-Appropriate Design Code (“ICO AADC”) (on which more can be read here, and with the California Age-Appropriate Design Code (published on September 2022). Both the British and Californian codes require service providers to conduct a data protection impact assessment of the risks for children from the management of their data. The Codes also highlight a list of practices to be avoided when targeting children for marketing reasons.

In Europe a similar code does not exist yet, however, according to the BIK+ strategy the EU commission will facilitate a comprehensive “EU code of conduct on age-appropriate design”, building on the new rules in the DSA and in line with the GDPR. The draft of the code will involve industry, policymakers and civil society representatives, including children.

In conclusion, there are new rules in place that should create a stronger foundation for protecting children from manipulative advertising practices. The EU is planning to publish further guidance soon.

In the meantime, advertisers should adapt to the new legal framework and keep in mind that when advertising to children wellbeing comes first no matter how great their game is.