children-profiling-limits
Children's Profiling Restrictions
Overview
Profiling of children is subject to heightened restrictions under multiple regulatory frameworks. GDPR Recital 71 states that automated decision-making including profiling "should not concern a child." The UK AADC Standard 12 requires profiling to be switched off by default for child users, with exceptions only where the controller can demonstrate a compelling reason and appropriate protective measures. The EU Digital Services Act (DSA) Article 28(2) explicitly prohibits online platforms from presenting targeted advertising based on profiling using the personal data of minors. COPPA prohibits the collection of persistent identifiers from children for behavioural advertising without verifiable parental consent. This skill establishes a comprehensive framework for lawful and ethical data processing that avoids prohibited profiling of children.
Legal Framework
GDPR Recital 71 — Children and Automated Decisions
"In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child."
The EDPB interprets "should not concern a child" as a strong presumption against subjecting children to automated decision-making based on profiling that produces legal or similarly significant effects. While "should not" is weaker than "shall not," the EDPB guidance and DPA enforcement practice treat this as an effective prohibition unless exceptional circumstances apply.
GDPR Article 22 — Automated Individual Decision-Making
Art. 22(1): "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."