Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The Guardianship Service Act (442/1999), as amended provides that a person aged under 18 is considered a minor and a person aged 18 years or older is considered an adult.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
Finland has incorporated the UNCRC into national legislation by way of legislation with the Act on the Adoption of Certain Provisions of the Convention on the Rights of the Child (1129/1991) that came into force on 21 August 1991.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The Ombudsman for Children is established by the Act on the Ombudsman for Children (1221/2004).
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
No.
The Ombudsman for Children promotes and evaluates the implementation of the UNCRC in Finland. This is done in cooperation with other authorities, organisations, and other civil society actors. The Ombudsman for Children issues statements or opinions and seeks to raise public discussion regarding the rights of the children. They also assess government projects from the perspective of children’s rights and submit initiatives for necessary changes. The Ombudsman for Children promotes children’s rights in the digital world through cooperation, statements, and initiatives. As such, it does not have competence as regards the investigation of such complaints against private entities.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. The requirement to collect parental consent under Article 8(1) of the GDPR only applies where the service provider is relying on consent as the legal basis under the GDPR for processing a child’s personal data. If another legal basis is relied on for processing, there is no requirement to collect parental consent for processing the child’s data.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Article 8(1) of the GDPR provides that the age of digital consent may be anywhere between 13 and 16 years of age, depending on what age the EU Member State in question has adopted.
In Finland, this is 13 years of age.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are no national-specific requirements in this regard; see more information on the GDPR-level requirements here.
Article 8(2) of the GDPR requires organisations to make “reasonable efforts” to verify such consent by a holder of parental responsibility over a child while taking into account available technology. No specific method has been presented by the Data Protection Ombudsman. However, in its guidance on consent of the data subject it is mentioned that the authentication measures should be evaluated on the basis of the nature and risks of processing.
When a child is asked to give their consent, special attention should be given to using clear and plain language.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here.
Article 12(1) of the GDPR emphasises the particular importance of the requirement for clear and plain language when providing information to children.
This is also interpreted by the Data Protection Ombudsman by stating that the information concerning the processing of personal data must be readily accessible and presented using simple and clear language. When the controller processes the personal data of children, particular attention must be paid to intelligibility.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
There are no national-specific laws which specifically state the age at which children have the legal right to exercise their data subject rights under the GDPR.
The Data Protection Ombudsman has emphasized putting the best interests of a child first. In principle, the rights of a data subject belong to every person.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
The Data Protection Ombudsman considers that a child may exercise their data protection rights and make complaints on their own or with their parents’ assistance.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The Office of the Data Protection Ombudsman has issued decisions related to the processing of children’s personal data. These decisions consider for example the processing of children’s social security numbers in connection with renting apartments; the processing of pupils’ personal data within systems that process personal data outside of the EU/EEA; and the visibility of pupils' personal data in an e-mail address book used by the education provider.
Are there specific rules concerning electronic direct marketing to children?
Yes.
The Act on Electronic Communications Services (1207/2020, as amended) applies to electronic direct marketing. While the Act on Electronic Communications Services does not separately mention children, the Finnish Competition and Consumer Authority has provided further guidance regarding direct marketing and children. Direct marketing, such as telemarketing, cannot be directed at children under 15 years of age without parental consent. Direct marketing aimed towards children also includes marketing letters addressed to parents if the appearance is designed to appeal to children. For children from 15 to 17 years of age, direct marketing can only be for products that can be purchased with pocket money and products that are appropriate for that age group.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
There are no national-specific laws in this regard, but the Office of the Data Protection Ombudsman has given guidance on automated decision-making and profiling. This guidance states that the special status of children must be taken into account. According to the Data Protection Ombudsman, children should not be subjected to decisions that are solely based on automated processing and have legal effects or other correspondingly significant effects. Subjecting children to such automated decision-making and profiling may be justified if it is done in order to protect the child’s wellbeing. When it comes to protecting children, appropriate measures must be taken.
Separately under the Digital Services Act, organisations that fall under the definition of providers of online platforms are prohibited from advertising to children using personal data-based profiling (i.e. personalised/ targeted advertising).
See more information here.
Are there specific rules concerning online contextual advertising to children?
Yes.
The Finnish Competition and Consumer Authority has stated that marketing targeted at minors should be assessed more strictly than marketing targeted at adults. Marketing to children must be clearly distinguishable from other entertainment aimed at and reaching children. Marketing to children must not encourage the child to influence the family's purchasing decisions or otherwise infringe the parent's parental rights.
Find more information in the section ‘Consumer Protection’, which addresses advertising and children more broadly.
Additionally, see information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
There has been no enforcement specifically concerning advertising to children by the Data Protection Ombudsman. However, the Consumer Ombudsman has issued decisions concerning advertising to children.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
This is the age of legal capacity to enter into a contract in Finland.
Children require a guardian’s consent for making a purchase. Without a guardian’s consent, a child can only make ordinary, small purchases. This also applies to agreements regarding digital services.
Do consumer protection rules apply to children?
Yes.
The Consumer Protection Act (38/1978, as amended) (the CPA), as amended, regulates marketing and practices in customer relationships, among other things. In the CPA, a ‘consumer’ is defined as a natural person who acquires consumer goods or services primarily for a purpose other than trade carried out by the natural person. Therefore, the scope also includes children.
The CPA includes regulation which is evaluated in the context of the ‘average consumer’. This average consumer is considered informed, reasonably attentive and careful. The starting point for the evaluation is the perception that the average consumer makes on the basis of the marketing material.
There is an exemption to the use of the average consumer where the practice is likely to have an impact on the decision-making of consumers who are particularly vulnerable due to e.g. their disability or age. If the trader should reasonably have understood this, the unfairness of the said practice is determined by using the point of view of the average member of such a consumer group, e.g. a child. This is done even if the practice was not aimed at them.
Additionally, see more information on the EU-level requirements here.
Are there any consumer protection rules which are specific to children only?
Yes.
The Consumer Protection Act includes marketing related regulation that is specific to children only. The CPA defines marketing that is contrary to good practice. Marketing that is targeted at or commonly reaches minors is contrary to good practice particularly if it exploits the inexperience or credulity of a minor, if it is likely to have an adverse effect on the balanced development of a minor or if it aims to bypass the possibility of parents to fully exercise their parental guidance of their child.
This is not assessed from a standard point of view, but instead one must take into account the age, developmental stage and other circumstances of the minors who are commonly reached by the marketing.
In addition, the Act on Electronic Communications Services states that teleshopping shall not exhort minors to contract for the sale or rental of goods and services.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
There are national-specific laws in Finland which implement age-related restrictions on the ages at which children can legally access specific goods and services. The following are a non-exhaustive list of goods and services to which such restrictions apply:
- gambling
- alcohol, cigarettes, vaping; and
- pornography.
To the extent such goods and services are accessed online by children, such restrictions will generally also apply.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
There is no national-specific regulation which would cover online or digital safety for children. See more information on the EU-level requirements here.
However, the Finnish Transport and Communication’s Agency’s National Cyber Security Centre provides general guidance on online / digital safety for all children and their parents.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
There is no national-specific regulation which would cover age verification / age assurance requirements concerning access to online / digital services. See more information on the EU-level requirements here.
However, the Act on Audiovisual Programmes (710/2011, as amended) (AP Act), applies to all content intended to be viewed as moving images by technical means, including e.g., movies and digital games. An audiovisual programme may be provided only if it has been classified in accordance with the AP Act and if a clearly visible label indicating the age limit and content is displayed on or in connection with the programme.
The AP Act concerns the protection of minors from content harmful to their development. The AP Act imposes among other things an obligation on the provider of a video-sharing platform to take appropriate measures to protect children from content harmful to their development. The provider of the video-sharing platform is responsible for choosing the most suitable means in accordance with the general principles. The National Audiovisual Institute monitors compliance with the obligations.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
No.
There is no national-specific regulation which would require implementing parental controls or facilitate parental involvement in children’s use of digital services.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific requirements in this regard; see EU-level response here.
However, please note that Finland will be issuing supplementing legislation to the AI Act regarding the competent national authorities and their powers to impose penalties.
As a side note, the Finnish Ministry of Education and Culture and the Finnish National Agency of Education are currently preparing guidelines for the use of AI in education, teaching, and training. The objective of the guidelines is to increase understanding of AI and promote its responsible and safe use. The guidelines are aimed at education providers and staff in the early childhood education and care, pre-primary and primary education, upper secondary education, vocational education, and liberal adult education.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
The Finnish Government has issued a proposal to amend the Finnish Basic Education Act (628/1998) to prohibit the use of telephones and other mobile devices during lessons. Students would only be allowed to use their phones or other mobile devices during lessons for learning purposes or for personal healthcare reasons with permission from their teacher or principal. A principal or teacher would also have the right to confiscate a student’s phone or other mobile device during the school day if the student’s use of the device were to disrupt teaching or learning.
See more information on the upcoming EU-level requirements here.
