Note: This advice is given by the CAP Executive about non-broadcast advertising. It does not constitute legal advice. It does not bind CAP, CAP advisory panels or the Advertising Standards Authority.
The Database Practice section of the CAP Code contains rules about marketing to and collecting information from children, that should be read in conjunction with the Children’s section of the Code and general clauses about responsibility, truthfulness and suitability of marketing materials. The Code defines a child as a person under the age of 16. In 2003, the ASA upheld a complaint about an unsolicited marketing communication being sent to a seven-year-old (M&D Group, 19 March 2003) on the grounds that it was unlikely to be understood by children as an advertisement and could therefore mislead.
The Help Note on Mobile Marketing states “verifiable and explicit consent should be obtained from a parent/guardian before communicating via mobile with children”. That position with regards to SMS is likely to be applied in spirit to e-mail marketing and raises the question of what would constitute verifiable and explicit consent. The ASA has yet to adjudicate on parentally obtained consent. However, the ICO’s Personal Information Online Code of Practice guidance states:
The key issue is to take into account the degree of risk that the collection or use of the personal data poses to the child or to others. This will help you to determine whether parental consent is required and, if so, what form this should take. For example, where minimal information is being collected, such as an email address to register on a site and to ask the child to confirm their age, then asking the child to tick a box to confirm parental consent and sending an email to the parent may be sufficient. However, if the child’s photo is to be displayed on a website, you may require a signed consent form or email acknowledgement from the parent even for older children.
The ICO acknowledges that obtaining parental consent in a verifiable way is, in practice, very difficult in the context of electronic communications. Therefore, we understand that if an advertiser was soliciting explicit consent from consumers by offering them the chance to sign-up to receive SMS marketing communications (in a print campaign), it might be acceptable for that advertiser to include a statement in the ad saying “If you are under 16, you should ensure that you have your parent or guardian’s permission to subscribe to our mailing list” or similar.
Legislation states that consumers need to have “fair processing information” i.e. they need to know who their data is being collected by and what it will be used for when collected. Which raises the question: are very young children capable of understanding that information? In response to that, the ICO advises that marketers should obtain consent for the collection and use of data from parents if children are not able to understand that fair processing information. Generally a child over 12 may be considered capable of understanding - as reflected in CAP Code rule 10.15. It does however depend entirely on the circumstances. The ICO recommends that marketers assess the appropriate form for obtaining consent based on the risk to the child. A marketer may well need to obtain consent from a child aged over 12 if there is a greater risk.
Whilst marketers must not collect personal information from children under 12 without verifiable parental consent, the CAP Code does allow marketers to collect information from children aged 12-16 subject to rule 10.16 which states:
Marketers must not knowingly collect personal information about other people from children under 16 unless that information is the minimum required to make a recommendation for a product, is not used for a significantly different purpose from that originally consented to, and the marketer can demonstrate that the collection of that information was suitable for the age group targeted.
Data about third parties collected from children must not be kept for longer than necessary.
CAP notes that some social networking websites offer applications that can request details about other people for the purposes of making a recommendation and that it is also common practice for websites to allow users to enter the e-mail addresses of their friends to send a marketing newsletter or a message recommending a product (i.e. a “wish list” or a message stating “Your friend X thought you might like this...”) The ICO guidance advises that it is for organisations to:
[...] assess the level of risk associated with asking a child to provide personal data about a third party. In some cases the risk is low because the information collected is relatively innocuous, for example where a child provides another person’s email address to transmit a newsletter and where the address isn’t retained or used for any other purpose.
CAP considers that when making that judgement, marketers should bear in mind the age and understanding of the child from whom they are collecting information. For example, a child of 13 years using a child orientated website is likely to be at higher risk than a 13 year old child using an application on a social networking site targeted at an older audience. Rule 10.16 requires marketers to justify why their collection of information about other people from a child aged 12-16 is suitable, depending on the age of the child and the context in which it was collected. Furthermore, marketers must ensure that the information they collect is proportionate and not excessive for the purposes for which it was consented to, is not used for a significantly different purpose, and is not kept for longer than necessary. Marketers must also bear in mind that the Database Practice Background section of the CAP Code also states that marketers must comply with relevant data protection legislation and that there may be other requirements in the Data Protection Act (1998) that they need to comply with.
Marketers should be aware that it is illegal to market certain products or services to children under a certain age; for example, under the Consumer Credit Act 1974, credit products and services cannot be marketed to persons under 18.
Information about Marketing to Children can be found in the DMA Code of Practice (www.dma.org.uk).
Last modified : 14 February 2011