Article 8 GDPR
Conditions for the consent of the child for information society services

1. Where Article 6(1)(a) applies, in the case of information society services offered directly to a child, the processing of personal data of a child who has reached the age of 16 is lawful. If the child is under 16 years of age, such processing is lawful only where consent has been given or authorized by the person exercising parental authority or guardianship over the child, and only to the extent of that consent. Member States may provide in their law for a lower age limit, which must be at least 13 years.

2. In such cases, the administrator, taking into account available technology, shall make reasonable efforts to verify that the person with parental authority or custody of the child has given consent or approved it.

3. Paragraph 1 does not affect general provisions of the contract law of the Member States, such as provisions on the validity, conclusion or effect of a contract with respect to a child.