For the first time, France has adopted a law protecting children’s privacy through the lens of right to their image: the Law n°2024-120 of February 19, 2024 (“Children’s Image Rights Law”). Unlike standards or bills related to the sharing of children’s personal data which may exist in other countries (e.g., UK Age Appropriate Design Code, California bill on collection of personal information of a consumer less than 18 years of age), which apply to data controllers or processors, this piece of legislation applies directly to children’s parents or guardians. But like in other countries it shows a trend, which is to strengthen the protection of children’s rights through various and specific pieces of legislation. In France examples include the Law n° 2023-566 of July 7, 2023 to establish a digital majority and combat online hate, the Law n°2020-1266 of October 19, 2020, to regulate the commercial use of images of children under the age of sixteen on online platforms (aka “Child Influencer Law”) or the bill discussed since 2023 on securing and regulating the digital space, which tackles notably the issues of cyber harassing and access to pornographic content.
The Children’s Image Rights Law aims to tackle risks of sharenting, including by completing measures implemented under the Child Influencers Law, to limit risk-creating behavior, and enshrines children’s right to privacy and facilitate the exercise of rights which protect minors. This approach is supported by the French data protection authority (hereafter the “CNIL”) which has recently issued guidance on risks of sharenting and children’s privacy rights (See the CNIL’s guidance, “Sharing photos and videos of your child on social networks: what are the risks”). The Children’s Image Rights Law reminds parents that children have the right to privacy and the right to their image, as photos and videos are personal data. Their digital rights include a right of access, rectification, erasure, and a right to object in relation to their personal data that can be exercised on their own or by a legal representative. Parents or guardians can exercise their children’s rights on their behalf, in particular their right to deletion if photos or videos posted by them have been reused without consent.
The right to erasure is at the center of the children’s right to privacy and of the Children’s Image Rights Law. The right to erasure (or the right to be forgotten) is governed by Article 17 GDPR. The parents can ask for the deletion of a child’s photos or videos if they want to withdraw their consent or when the children’s personal data is subject to unlawful processing (e.g., unlawful reuse of photos shared by the parent). To exercise this right, they must request deletion from the data controller (e.g., the social network), who must respond as soon as possible and within one month at the latest, barring (unlikely) exceptions. If the request is not honored within this period, they can contact the police, use a specific channel in case of cyberbullying or lodge a complaint with the CNIL.
The Children’s Image Rights Law has an impact on the CNIL’s powers with regard to the right to erasure. It states:
“In the event of serious and immediate infringement of the rights and freedoms mentioned in article 1 of the present law [data protection rights under the GDPR] or, in the case of a minor, in the event of non-execution or failure to respond to a request of erasure of personal data, the president of the CNIL may also request, by way of summary proceedings, the competent court to order, if necessary under fine, any measure necessary to safeguard these rights and freedoms.“
In practice, this means that the CNIL will be able to initiate summary proceedings to ensure that requests for the erasure of children’ personal data are more effective, and that situations that create risks for children are resolved faster.
Enforcement and perspective of the new law: Today, the CNIL is already assisting complainants in asserting their data protection rights, and in particular in obtaining erasure of data from the relevant sites, particularly social networks. In the future, and in addition to this assistance, interim injunctions issued at the request of the CNIL may give rise to conservatory measures, in particular the suspension of publication. Data controllers will therefore need to be properly equipped in order to process such erasure requests in France as quickly as possible. More generally, companies need to be particularly cautious with the processing of children’s data and take into account these new obligations and the applicable guidance from authorities, because the CNIL included the processing of minors’ data collected online in its investigation program for 2024 (See the CNIL investigations in 2024). This means that in the coming months, the CNIL will be checking compliance of several applications and sites most popular with children and teenagers to see for instance whether age control mechanisms have been implemented, what security measures are in place and whether the principle of data minimisation has been respected.
