Children’s Data Privacy in Nigeria and The Obligation of Data Controllers
The Nigeria Data Protection Act (NDPA) 2023 significantly strengthens protections for children’s personal data with enforceable obligations on data controllers that determine how and why personal data is processed. Central to these obligations is the requirement to obtain parental consent from a parent or legal guardian before processing the data of any child under 18 years old.
Obligation to Obtain Parental or Guardian Consent
Pursuant to the NDPA, a child is defined as any person below the age of 18, consistent with the Child Rights Act. This means that before any personal data belonging to a child can be collected or processed, data controllers must secure explicit consent from the child’s parent or legal guardian. This consent must be informed, specific, and freely given, ensuring that parents understand what data is collected, the purposes of processing, and their rights regarding their child’s information.
This requirement is not merely procedural but substantively designed to empower parents to protect their children’s privacy in an increasingly digital world. The Act also emphasizes that consent cannot be assumed from silence or inactivity. It must be affirmative and clear.
Mandatory Age Verification Mechanisms
Beyond obtaining consent, the NDPA imposes an additional critical responsibility on data controllers to implement appropriate mechanisms to verify the age of the data subject before processing their personal data. This obligation ensures that children are correctly identified and that parental consent is sought only when applicable.
The Act recognizes the practical challenges of age verification in digital environments and requires data controllers to apply suitable technological means, taking into account available technology and context. Commonly accepted methods include the presentation of government-approved identification documents or other reliable verification tools. These mechanisms help prevent underage users from accessing services without parental oversight and protect organizations from inadvertently processing children’s data unlawfully.
Exceptions and Safeguards
While the consent and verification requirements are stringent, the NDPA allows exceptions where parental consent is not needed. These include situations where processing is necessary to protect the vital interests of the child, is carried out for educational, medical, or social care purposes by professionals bound by confidentiality, or is essential for legal proceedings involving the child. Section 31 (4) of NDPA.
Implications for Data Controllers
The combined obligations to obtain parental consent and verify age impose a high standard of accountability on data controllers. Data Controllers must design and maintain robust systems that integrate age verification at the earliest point of data collection and ensure consent processes are transparent and accessible to parents and guardians. Privacy policies must be written in clear, child-friendly language to facilitate understanding by both children and their parents.
Failure to comply with these obligations poses a risk of regulatory sanctions from the Nigeria Data Protection Commission (NDPC), reputational damage, and most importantly, the erosion of trust with families relying on digital services.
Conclusion
The NDPA’s requirements for parental consent and age verification reflect Nigeria’s commitment to protecting children’s privacy rights in the digital age. Data controllers must rise to the challenge by embedding these obligations into their data processing practices to safeguard children’s personal information and support parents in their role as guardians of their children’s digital lives. This legal framework with parental vigilance offers a strong foundation for a safer online environment for children.
