The toothpaste is out of the tube. Once personal data is on the Internet, there is no going back. Children today grow up leaving permanent scars with every like, post and DM, often unaware of how much they have exposed themselves to. To protect children, lawmakers have taken decision-making out of their hands and placed them in the care of adults. The perception is that children do not have the understanding to express themselves.
However, we often underestimate them. Children's abilities are constantly evolving, and today's average 10-year-old knows Instagram and TikTok like the palm of their hand. Nowadays children have knowledge and much more; They need guidance so that they can develop judgments to make informed decisions about data privacy matters.
The basis of these protections is the principle of transparency. As data subjects and rights holders, children are entitled to information about how their personal data is collected, processed and used.1
PHL Data Privacy Law for children
In December 2024, the National Privacy Commission took a leap forward by issuing Advisory No. 2024-03, also known as the Guidelines on Child-Oriented Transparency.
The Guidelines emphasize the vulnerability of children, while also acknowledging their rights as primary data subjects and their increased ability to understand how their personal data is used. They want children to be informed about the nature, purpose and extent of the processing of their personal data through an age-appropriate privacy notice, even in cases where the product or service is for adults.2 They also require that children be notified if their personal information is affected by a data breach.3
However, transparency does not necessarily equate to autonomy. While the Guidelines call for data processors to be open towards children, the accountability and responsibility for providing consent still rests on those exercising parental rights.4
The guidelines require data processors themselves to conduct child privacy impact assessments before launching products or services, and, whenever necessary, must secure the involvement of parents or guardians in deciding whether children should participate in a specific processing activity.5
Global approach to parental consent
This important role of parents and guardians is reflected in international laws, although the age limit for parental consent varies across jurisdictions.
In the United States, consent must be obtained before data from children under 13 can be processed.6 South Korea has set this age at 14 years,7 While India enforces a stricter rule, requiring verifiable parental consent for persons under 18 years of age.8
In Europe, countries find guidance in the General Data Protection Regulation (GDPR).9 Which requires parental consent for children under 16 years of age. However, the GDPR allows Member States to set a lower age limit by law, provided it is not lower than 13 years.10 In Italy, parental consent is required to process personal data of children under 14 years of age.11
Some jurisdictions are more progressive in terms of giving children decision-making rights after they reach a certain age. For example, in Vietnam12 and Thailand13Children aged seven and 10 respectively must give their consent along with their parents.
In the Philippines, parental consent is required for children under the age of 18 or children with disabilities over the age of 18.14 Currently, a House Bill is pending proposing to reduce this age to 15 years.15
empowering next generation
There is no doubt that today's children are experts in technology and internet. However, they have yet to fully understand the long-term impact of sharing their personal information. Therefore, data processors, especially social media platforms, also have a responsibility to inform them about all matters affecting their data.
In fact, the Guidelines recommend specific strategies in drafting child-specific and age-appropriate privacy notices that consider the readability, comprehensibility, and descriptiveness of information while taking into account children's best interests and developing abilities. In any case, the information should be presented in a way that is simple and easily understandable to children using videos, infographics, animation and audio recordings.16
The growing digital maturity of children highlights not only their adaptability but also their potential as informed digital citizens. By empowering them through education, transparent policies, and supportive parental guidance, we can change the narrative – from viewing them merely as vulnerable subjects to recognizing them as active participants in protecting their personal data.
Ultimately, protecting children's data privacy leads us to “prepare the child for the road, not the road for the child.” In this age of open information, keeping children safe requires more than protecting them from the digital world. This includes empowering them to thrive within it.
(This article is for general informational and educational purposes only and is not presented and does not constitute legal advice or legal opinion.)
1United Nations Committee on the Rights of the Child, General Comment No. 25 (2021) on the rights of the child in relation to the digital environment, CRC/C/GC/25 (2 March 2021).
2Section 3, NPC Advisory No. 2024-03 titled “Guidelines on Child-Oriented Transparency.”
3Section 4, NPC Advisory No. 2024-03 titled “Guidelines on Child-Oriented Transparency.”
4Title IX, New Civil Code.
5Section 2(a), NPC Advisory No. 2024-03 titled “Guidelines on Child-Oriented Transparency.”
6Section 312.4(a), Children's Online Privacy Protection Rule.
7Article 22(6), Personal Information Protection Act 2011.
8Section 9, Chapter 2, Digital Personal Data Protection Act (2023).
9Regulation (EU) 2016/679 of 27 April 2016 of the European Parliament and of the Council.
10Article 8, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
11Section 2-D, Personal Data Protection Code containing provisions adapting national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with respect to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
12Section 2, Article 20(2), Decree of Vietnam on Personal Data Protection (Decree No. 13/2023/ND-CP).
13Section 20, Part I, Chapter II, Personal Data Protection Act of Thailand 2019.
14Section 3(a), Republic Act No. 7610 (1992). An Act to provide for stronger deterrence and special protection against child abuse, exploitation and discrimination and for other purposes [Special Protection of Children Against Abuse, Exploitation and Discrimination Act of 1992],
15HB 898
16Section 3, NPC Advisory No. 2024-03 titled “Guidelines on Child-Oriented Transparency” (Guidelines).
Clarisse Paulina M. Valdecantos-Javelosa is a Senior Associate of the Intellectual Property Department and a member of the Data Privacy and Security Group of Angara Abello Concepcion Regala & Cruz Law Offices (ACCRALAW).
cmvaldecantos@accralaw.com
+632-8830-8000
