XF 2.0 GDPR: minimum age enforcement?

[Sim]

Now that GDPR specifies that children under the age of 16 are incapable of providing informed consent and thus require parental consent - has anyone considered how this might be implemented?

It's similar (but not quite the same) as the US's COPPA requirements. I know we can set a minimum age in the registration, but ironically, capturing and storing their date of birth is yet another unnecessary personal datapoint - which is exactly what the whole GDPR thing is trying to minimise.

Perhaps we need to be able to capture age at registration time for the purposes of logging consent, but not actually store date of birth? Or do you think it is good enough to simply demand that users acknowledge that they must be over the age of 16 before they register?

 

[Kirby]

https://xenforo.com/community/threads/user-registration-option-minimum-age-does-not-work.147180/

 

[Slavik]

Stipulating it in T+C's is fine as it is otherwise unenforceable short of requiring validated ID to be provided...

 

[Chris D]

Or do you think it is good enough to simply demand that users acknowledge that they must be over the age of 16 before they register?

Absolutely this.

XF2 already provides a minimum age option and that is already passed to the terms and rules which must be read and consented to before registering.

 

[Tom]

So does this mean that we can no longer allow under 16s to join the site without parental permission, as opposed to only under 13s? I'm unable to find a clear clarification on this from any sites, including the ICO's.

 

[Sim]

So does this mean that we can no longer allow under 16s to join the site without parental permission, as opposed to only under 13s? I'm unable to find a clear clarification on this from any sites, including the ICO's.

https://gdpr-info.eu/art-8-gdpr/ (emphasis mine):

1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
   Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

 

[Sim]

Absolutely this.

XF2 already provides a minimum age option and that is already passed to the terms and rules which must be read and consented to before registering.

But doesn't that require capturing and storing the user's date of birth?

Ahh - I see in XF2, the options have changed:



That's good enough for me.

Have you made any changes for XF1 to help people with GDPR compliance here?

XF1 had these options combined under one setting:

 

[Kirby]

So does this mean that we can no longer allow under 16s to join the site without parental permission, as opposed to only under 13s? I'm unable to find a clear clarification on this from any sites, including the ICO's.

This somewhat depends on where you are located and where the teenager is located.
Austria for example has pased a law to lower the general GDPR requirement to 13 years.

 

[Chris D]

That's good enough for me.

Have you made any changes for XF1 to help people with GDPR compliance here?

XF1 had these options combined under one setting:

Nope but the XF1 approach is still compliant.

 

[D.O.A.]

Stipulating it in T+C's is fine as it is otherwise unenforceable short of requiring validated ID to be provided...

Nah man everyone on the internet is honest folks, no kids gonna deliberately bypass a checkbox and violate page 98541 of the EU's book of laws

 

[webbouk]

This somewhat depends on where you are located and where the teenager is located.
Austria for example has pased a law to lower the general GDPR requirement to 13 years.

So does that mean we have to use some geomapping to show different minimum age requirements depending on the country that the user/registrant is accessing the forums from in order to prevent falling foul of GDPR ?
It just shows the preposterousy (sp) of GDPR - it's either one rule for all or no rules at all

 

[Kirby]

I just had another discussion with our lawyer who took a look at how XenForo implemented Article 8 GDPR.
According to him, it is not enough to just state the age in terms of service, but it is also not required to ask for the birthday (and store that information).
What we are doing right no is to add another required checkbox "I confirm that I am 16 years or older".

I must also correct my previous statement in post #8 - Austria has lowered the requirement to 14 years, not 13.
13 years is the minimum age for any EU country if they pass national law to reduce the general age as set by GDPR (16 years).