Phosra
Get Started
European Union (27 member states)In force (enacted May 2018)

GDPR Article 8 Child Consent (GDPR Art. 8)

GDPR Article 8 establishes conditions for child consent to data processing, requiring parental consent for children under 16 (or 13, depending on member state).

Compliance Coverage7/8

What GDPR Art. 8 Requires

Key provisions of GDPR Article 8 Child Consent

Parental Consent for Children's Data

Data processing relating to children under 16 (or 13 where member states have set a lower age) requires verifiable parental or guardian consent. Consent must be freely given, specific, informed, and unambiguous.

Verification of Parental Consent

Data controllers must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility, taking into account available technology.

Right to Erasure for Children

Children's data is subject to the full GDPR right to erasure (Article 17). Data collected during childhood can be deleted at any time, and controllers must act on erasure requests without undue delay.

Data Protection by Design and Default

Services directed at or likely used by children must implement data protection by design and by default, minimizing data collection and ensuring the highest privacy settings are applied automatically.

Data Protection Impact Assessments

High-risk processing of children's data requires a Data Protection Impact Assessment (DPIA) before processing begins, evaluating risks and identifying mitigation measures.

Supervisory Authority Enforcement

National Data Protection Authorities enforce GDPR with fines up to €20 million or 4% of global annual turnover, whichever is higher. Children's data violations are treated with heightened seriousness.

How Phosra Helps

GDPR Art. 8 provisions mapped to Phosra features

Each GDPR Art. 8 requirement is addressed by a specific Phosra capability. Integrate once, and your platform is covered.

Parental consent requirement

Parent Account Ownership

Phosra's parent-managed account model ensures all child profiles are created and controlled by a verified adult, satisfying Article 8's consent requirements through account ownership.

REST API — GDPR parental consent
bash
curl -G https://api.phosra.com/v1/families/fam_8nL3m/consent-status \
  -H "Authorization: Bearer sk_live_..." \
  -d "regulation=gdpr"

Right to erasure

Data Deletion Request

data_deletion_request

The data_deletion_request rule triggers deletion workflows on connected platforms. Child profiles can be fully removed from Phosra within 7 days via the dashboard or API.

REST API — GDPR right to erasure
bash
curl -X POST https://api.phosra.com/v1/children/ch_lucas_02/data-deletion \
  -H "Authorization: Bearer sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "scope": "all_platforms",
    "gdpr_article": "17",
    "reason": "withdrawal_of_consent",
    "include_phosra_profile": true
  }'

Targeted ad ban for minors

Targeted Ad Block

targeted_ad_block

The targeted_ad_block rule disables all behavioral advertising and ad profiling for minor users, ensuring GDPR-compliant data processing across connected platforms.

REST API — Block targeted ads (GDPR)
bash
curl -X POST https://api.phosra.com/v1/enforcement \
  -H "Authorization: Bearer sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "child_id": "ch_lucas_02",
    "rules": ["targeted_ad_block"],
    "platforms": ["youtube", "instagram", "tiktok"]
  }'

Data protection by default

Privacy Data Sharing Controls

privacy_data_sharing

The privacy_data_sharing rule blocks third-party data sharing and analytics by default for child accounts, implementing data protection by default.

REST API — Privacy data sharing controls
bash
curl -X POST https://api.phosra.com/v1/enforcement \
  -H "Authorization: Bearer sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "child_id": "ch_lucas_02",
    "rules": ["privacy_data_sharing"],
    "platforms": ["youtube", "instagram", "discord"]
  }'

Data minimization

Minimal Child Profiles

Phosra stores only first name, birth date, and age group. No email, phone, photos, or biometrics are collected, ensuring GDPR data minimization principles are upheld.

REST API — GDPR minimal profile
bash
curl -G https://api.phosra.com/v1/children/ch_lucas_02 \
  -H "Authorization: Bearer sk_live_..." \
  -d "include=gdpr_compliance"

Security measures

AES-256-GCM Encryption

All sensitive data is encrypted at rest with AES-256-GCM. Platform credentials use per-family keys, and all transfers use TLS 1.3, satisfying GDPR Article 32 security requirements.

REST API — GDPR Art. 32 security status
bash
curl -G https://api.phosra.com/v1/compliance/encryption-status \
  -H "Authorization: Bearer sk_live_..." \
  -d "regulation=gdpr"

Coverage Assessment

GDPR Art. 8 compliance checklist

Compliance Coverage

Verifiable parental consent obtainedParent account ownership verification
Right to erasure implementeddata_deletion_request + profile deletion API
Targeted advertising blockedtargeted_ad_block rule category
Data protection by defaultprivacy_data_sharing defaults to blocked
Data minimization enforcedMinimal child profile schema
Encryption at rest and in transitAES-256-GCM + TLS 1.3
Cross-border transfer safeguardsStandard Contractual Clauses (SCCs) supported
DPIA documentationAutomated DPIA generation (planned)

Start building GDPR Art. 8-compliant features today

Phosra handles the complexity of multi-platform compliance so you can focus on building great products for families.

Get Started FreeRead the Docs