Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
Article 122 of the Portuguese Civil Code provides that a person under the age of 18 is a minor.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
The UNCRC has been ratified by Portugal through Presidential Decree of 14.09.1990 and was published on 21 October 1990.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The National Commission for the Promotion of the Rights and Protection of Children and Young People (NCPRPCYP) was created by Decree-Law no. 159/2015 of 10 August, which was amended by Decree-Law no. 139/2017 of 10 November. The NCPRPCYP mission is to contribute to the planning of state intervention and to the coordination, monitoring and evaluation of the actions of public bodies and the community in promoting the rights and protection of children and young people.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
No.
It is up to the relevant regulator (Autoridade Nacional de Comunicações, Comissão Nacional de Protecção de Dado or Consumer Division depending on topic).
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. The requirement to collect parental consent under Article 8(1) of the GDPR only applies where the service provider is relying on consent as the legal basis under the GDPR for processing a child’s personal data. If another legal basis is relied on for processing, there is no requirement to collect parental consent for processing the child’s data.
Entirely separate to the requirement to collect parental consent under Article 8(1) is that a digital service provider (controller) may decide to seek parental permissions for a child to access different setting/ features/ functionalities etc. as part of the measures it implements under Articles 24 and 25 of the GDPR to ensure a high level of protection for child users.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Article 16 of Law no. 58/2019 of 8 August concerning the implementation of the GDPR determines that the personal data of children may only be processed on the basis of the consent provided for in Article 6(1)(a) of the GDPR and relating to the direct offer of information society services when they have reached the age of 13. Furthermore, it establishes that if the child is under 13 years of age, processing is only lawful if consent is given by the child's legal representatives, preferably using secure authentication means.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
Article 16 of Law no. 58/2019 of 8 August concerning the implementation of the GDPR includes a preference for secure authentication methods when giving consent.
See more information on the GDPR-level requirements here.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. Article 12(1) of the GDPR emphasises the particular importance of the requirement for clear and plain language when providing information to children.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
Given children are given autonomy to consent on the processing of their personal data for digital contracts, they can also apply for the exercise of rights.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
Given children are given autonomy to consent on the processing of their personal data for digital contracts, they can also apply for the exercise of rights.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
There are no national-specific laws in this regard; however see more information on the GDPR-level requirements here.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
No.
No information available on public databases.
Are there specific rules concerning electronic direct marketing to children?
Yes.
Where unsolicited direct marketing to any person is carried out through the sending of electronic mail (i.e. any text, voice, sound or image message including SMS text message) the Portuguese Law on Electronic Communications and Privacy, enacted pursuant the ePrivacy Directive (Law 46/2012 of August 18th, as amended) will apply to such communications. Portuguese Law on Electronic Communications and Privacy is not specifically directed at communications made to children but regardless of whether the communication is sent to an adult or a child, the general rule is that the consent of the individual recipient is required (which must be GDPR-standard consent) although there are certain strictly applied exemptions which can be relied upon in limited circumstances.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
The Portuguese Law on Electronic Communications and Privacy enacted pursuant the ePrivacy Directive (Law 46/2012 of August 18th, as amended) will apply along with the Portuguese Advertising Code.
While the Portuguese Law on Electronic Communications and Privacy does not contain specific rules to minors, the Portuguese Advertising Code determines that advertising aimed specifically at minors must always take into account their psychological vulnerability, and in particular refrain from:
a) Directly inciting minors, by exploiting their inexperience or credulity, to purchase a particular good or service;
b) Directly encouraging minors to persuade their parents or third parties to buy the products or services in question;
c) Containing elements likely to jeopardise their physical or moral integrity, health or safety, in particular through scenes of pornography or incitement to violence; or
d) Exploit the special trust that minors place in their parents, guardians or teachers.
Minors can only be key players in advertising messages in which there is a direct relationship between them and the product or service being advertised.
Finally, Article 93A of the Television and Streaming Services - Law no. 27/2007, of 30th July, as amended, establishes that the personal data of children and young people collected or generated by television programme service operators, on-demand audiovisual service operators or video-sharing platform providers may not be processed for commercial purposes, such as direct marketing, profiling or behaviourally-targeted advertising, in compliance with the General Data Protection Regulation in conjunction with the Protection of Children and Young People in Danger Act, particularly with regard to obtaining consent from those exercising parental responsibilities.
Additionally, see further information on the EU-level requirements here.
Are there specific rules concerning online contextual advertising to children?
Yes.
The Portuguese Advertising Code provision on minors applies to all types of advertising. See further information on the Portuguese Advertising Code here.
The Portuguese Advertising Code is completed by the Law on Unfair Commercial Practices – Decree-Law no. 57/2008, of 26th March, as amended, which among other provisions of relevance, prohibits misleading advertising, which must be considered in the context of the ‘average consumer’ within the target group. Whether a commercial practice is misleading under the Law on Unfair Commercial Practices will depend on whether it includes the provision of false information, deceives or would be likely to deceive the average consumer regarding a number of matters listed in the relevant provision and such action causes or would be likely to cause the average consumer to make a transactional decision they would not otherwise make. In determining whether a commercial practice is misleading, the commercial practice has to be considered in its factual context, taking account of all its features and circumstances.
Additionally, see further information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
There are several decisions based on use by children of advertising, mostly issues raised by self-regulation associations, and some judicial decisions on advertising campaigns with minors. However, there have been no specific decisions on online advertising.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
Article 16 of Law no. 58/2019 of 8th August concerning the implementation of the GDPR.
Do consumer protection rules apply to children?
Yes.
The Consumer Defence Law, Law no. 24/06, of 31st of July, as amended, is applicable to all consumers, including children.
Also, for sales at distance, including online sales, the general rules of Law on Sales at Distance - Decree-Law no. 24/2014, of 14 February shall apply. The general regime includes protection on consumers for online sales but no specific rules for minors. Contracts for use of digital services may be concluded by minors over 13 years, opposing the majority rule of 18 years old.
Additionally, see further information on the EU-level requirements here.
Are there any consumer protection rules which are specific to children only?
Yes.
General rules on consumer protection apply, including Advertising Code, Law on Unfair Commercial Practices, Consumer Law, and Online Sales.
Additionally, see further information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
No information on public databases.
Are there any age-related restrictions on when children can legally access online/ digital services?
No.
While 13 years old is the age for entering into a digital services contracts, access to online/ digital services has no age limit.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
Article 16 of Law no. 58/2019 of 8th August concerning the implementation of the GDPR includes requirements for consent. See further information on the EU-level requirements here.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
Article 16 of Law no. 58/2019 of 8th August concerning the implementation of the GDPR includes requirements for consent. See further information on the EU-level requirements here.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes.
Good practices determine that such controls should be made available but there are no specific national legal requirements to do so, except on payment methods but within rules on financial controls.
See further information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
No information on public databases.
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific requirements in this regard; see EU-level response here.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
No.
There are no other national existing or upcoming requirements relevant to children’s use of digital services.
See more information on the upcoming EU-level requirements here.
Contributors
Ana Rita Paínho
Servulo & Associados
Ana Maria Loureiro
Servulo & Associados
