Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
In terms of the Children’s Act 38 of 2005 (Children’s Act), a child is defined as “a person under the age of 18 years”.
In terms of section 17 of the Children’s Act, a child becomes a major upon reaching the age of 18 years.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
South Africa signed the UNCRC in 1993 and ratified it on 16 June 1995. The preamble to the Children’s Act 38 of 2005 (Children’s Act) specifically refers to the UNCRC in relation to the need to extend particular care to children. Section 2(d) of the Children’s Act provides that one of the objects of the Act is to give effect to South Africa’s obligations concerning the well-being of children in terms of international instruments binding on South Africa.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The South African Human Rights Commission (SAHRC) is empowered to monitor and assess the observance of human rights in South Africa, including children’s rights as set out in section 28 of the Constitution of the Republic of South Africa, 1996. The SAHRC established a dedicated Children’s Rights Unit in 2020.
In the judicial system, the office of the Family Advocate assists parties to reach agreements on disputed issues, namely custody, access and guardianship, in the best interests of the child.
In the Western Cape province, the Western Cape Commissioner for Children was appointed in 2023. The Commissioner for Children is an independent institution from government and reports to the provincial legislature on activities, functions and progress on objectives. See more here.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
Yes.
The South African Human Rights Commission, through its Children’s Rights Unit, has published several guidelines and best practice documents regarding children’s rights in the digital environment. See here.
The primary legislation for protecting online user rights (including those of children) is the Protection of Personal Information Act 4 of 2013 (POPIA). The Information Regulator is South Africa’s data protection authority, established under POPIA.
The Film and Publication Board, established in terms of the Films and Publications Act 65 of 1996, has competence in relation to the protection of children in the broadcasting, film, publications and content sector.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
Yes.
The consent of a “competent person” is required when processing a child’s personal information, pursuant to sections 34 and 35 of Protection of Personal Information Act 4 of 2013.
A “competent person” means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
N/ A
Section 1 of the Protection of Personal Information Act 4 of 2013 defines a child as “a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself.” Therefore, a person must be over the age of 18 in order to be legal competent for the purposes of the Act.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
Consent in terms of the Protection of Personal Information Act 4 of 2013, whether given by a data subject or a competent person in respect of a data subject who is a child, must be a voluntary, specific and informed expression of will.
A “competent person” means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
Part C of the Protection of Personal Information Act 4 of 2013 (POPIA) governs the processing of personal information of children, and sets out specific requirements for lawful processing. Responsible parties (i.e., data controllers) are prohibited from processing personal information concerning a child unless the requirements set out in section 35 of POPIA are met. See further information on these requirements here.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
No.
The consent of a competent person must be obtained in respect of personal information / personal data of a data subject who is a child.
A “competent person” is defined in the Protection of Personal Information Act 4 of 2013 as meaning any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
In terms of section 74 of the Protection of Personal Information Act 4 of 2013, “any person” may submit a complaint to the Information Regulator alleging interference with the protection of personal information of a data subject. Accordingly, children may lay their own complaints with the Information Regulator.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
Part C of the Protection of Personal Information Act 4 of 2013 (POPIA) governs the processing of personal information of children (including special personal information (see below*)), and sets out specific requirements for lawful processing. Responsible parties are prohibited from processing personal information concerning a child unless the requirements set out in section 35 of POPIA are met.
The key takeaways in section 35 are as follows:
a) When Processing is Allowed
Processing personal information of children is permitted if the processing is:
- carried out with the prior consent of a competent person;
- necessary for the establishment, exercise or defence of a right or obligation in law;
- required to comply with an obligation of international public law;
- for historical, statistical, or research purposes, provided that (i) it serves a public interest and the processing is necessary for the purpose concerned, or (ii) obtaining consent appears to be impossible or would involve a disproportionate effort to obtain. However, sufficient guarantees must be provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent; or
- in relation to personal information that has deliberately been made public by the child (with the consent of a competent person)
b) Authorisation by the Regulator
Notwithstanding the general prohibition set out in section 34 of POPIA, the Information Regulator may, upon application by the responsible party, authorise the processing of personal information of children if such processing is in the public interest and if safeguards have been put in place to protect such personal information. The Regulator may impose reasonable conditions in respect of any authorisation granted by it, including, amongst other things, conditions in relation to how the responsible party must establish and maintain reasonable procedures to protect the integrity and confidentiality of the personal information.
*Special personal information is akin to “sensitive data” under the GDPR and includes the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject.
Notwithstanding the generality of the above, there are no specific requirements / prohibitions in relation to (a) processing specific types of children’s data (except to the extent that special personal information is processed, in which case the general provisions on processing special personal information of all data subjects are applicable), (b) carrying out specific processing activities involving children’s Notwithstanding the generality of the above, there are no specific requirements / prohibitions in relation to (a) processing specific types of children’s data (except to the extent that special personal information is processed, in which case the general provisions on processing special personal information of all data subjects are applicable), (b) carrying out specific processing activities involving children’s personal information, and (c) using children’s personal information for specific purposes.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
No.
The Information Regulator has not taken enforcement action in relation to the processing of children’s data. However, in 2022, the Information Regulator issued guidance to the Department of Basic Education (DBE) in relation to the processing of personal information of children. The Information Regulator instructed the DBE to withdraw and amend a non-compliant consent form. No penalties were issued. See more here.
Are there specific rules concerning electronic direct marketing to children?
No.
However, on 3 December 2024, the Information Regulator (South Africa’s data protection regulatory authority) published a guidance note on direct marketing in terms of Protection of Personal Information Act 4 of 2013 (Guidance Note). In particular, the Guidance Note provides that in order to rely on the ground of “legitimate interest” for purposes of direct marketing, a data controller must balance its own legitimate interest against the interests and rights of the data subject. In conducting this balancing exercise, the data controller must consider the nature of the personal information, including whether such personal information is related to children and minors. The Guidance Note is worth noting given that it specifically makes reference to personal information related to children.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
No.
While there are no specific rules pertaining to children in this regard, the classification and publication of content, including advertising, is regulated by the Film and Publication Board (FPB). The FPB is empowered to classify content to, inter alia, protect children from exposure to disturbing and harmful materials and from premature exposure to adult experiences.
Are there specific rules concerning online contextual advertising to children?
No.
While there are no specific rules pertaining to children in this regard, the classification and publication of content, including advertising, is regulated by the Film and Publication Board (FPB). The FPB is empowered to classify content to, inter alia, protect children from exposure to disturbing and harmful materials and from premature exposure to adult experiences.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
In terms of section 17 of the Children’s Act 38 of 2005, a child becomes a major upon reaching the age of 18 years. Once a child attains majority, they obtain contractual capacity to enter into an agreement on their own behalf.
Do consumer protection rules apply to children?
Yes.
While children do not have contractual capacity, the Consumer Protection Act 68 of 2008 (CPA) is intended to protect, inter alia, persons to whom goods and services are marketed in the ordinary course of the supplier’s business. This includes children. In addition, one of the purposes of the CPA is to promote and advance the social and economic welfare of consumers in South Africa by reducing and ameliorating any disadvantages experienced in accessing any supply of goods or services by consumers who are minors (i.e., children). As such, the consumer protection rules apply to children.
Are there any consumer protection rules which are specific to children only?
Yes.
The South African Consumer Protection Act 68 of 2008 (CPA) includes specific provisions to protect children as a vulnerable group of consumers. Suppliers providing goods and services to children must comply with these provisions to ensure that transactions involving minors are fair, safe, and in the child’s best interest. We set out below the key sections of the CPA relevant to suppliers dealing with children.
Section 9:
This section provides for reasonable grounds for differential treatment in specific circumstances. In particular, this section permits suppliers to reasonably differentiate their treatment when transacting with minors (i) in accordance with any public regulation or (ii) as a reasonable precaution to protect the health, safety and welfare of the minor.
For example, section 9 permits suppliers to refuse (on reasonable grounds) to enter into an agreement with a minor for the supply of goods or services, unless the supplier has reason to believe that the minor is emancipated.
Section 39:
This section pertains to agreements with persons lacking legal capacity, including unemancipated minors. In particular, this section provides, amongst other things, that an agreement to enter into a transaction is voidable at the option of the consumer if (i) at the time, the agreement was made, the consumer was an unemancipated minor, (ii) the agreement was made without the consent of an adult responsible for that minor, and (iii) the agreement has not been ratified by either an adult responsible for that minor or the consumer after being emancipated or becoming an adult.
In light the above, agreements with unemancipated minors are generally voidable unless the supplier was misled into believing the minor had full legal capacity.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A.
Are there any age-related restrictions on when children can legally access online/ digital services?
No.
N/A.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
The primary legislation for protecting online user rights (including those of children) is the Protection of Personal Information Act 4 of 2013 (POPIA), and the Information Regulator is South Africa’s data protection authority, established under POPIA. The Films and Publications Act 65 of 1996 (FPA) provides that internet service providers must display safety measures on all advertisements for a child-oriented service and in the medium used to access a child-oriented service.
Further, the FPA provides that content must be classified according to the following categories: “refused classification”, “XX”, “X18” and age-restricted content. Publications containing child pornography fall within the “refused classification” category. The FPA, in conjunction with the Criminal Law (Sexual Offences and Related Matters) Amendment Act 32 of 2007, criminalises the possession, production and distribution of child pornography.
The Film and Publication Board (FPB), established in terms of the FPA, has competence in relation to the protection of children in the broadcasting, film, publications and content sector.
The Films and Publications Regulations, 2022, published under the FPA, provide that an internet service provider must, when making an application for registration with the FPB, indicate in its application form all measures or steps taken or put in place to ensure that children are not exposed to child pornography and pornography.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
No.
N/A.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
No.
N/A.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A.
Are there any existing requirements relating to children and AI in your jurisdiction?
No.
However, to the extent that the use of the AI tool in question will result in or require the processing of the personal information of children, this will be subject to the requirements under sections 34 and 35 of the Protection of Personal Information Act 4 of 2013 (POPIA). Please see more information on the POPIA here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
No.
N/A
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
The Draft White Paper on Audio and Audiovisual Media Services and Online Content Safety: A New Vision For South Africa, published on 27 July 2023 (Draft White Paper), is a policy document that proposes the regulation of the online digital space. A key guiding principle in the Draft White Paper is the protection of children and consumers. The Draft White Paper contains various proposals related to the protection of children in the digital space. For example, regarding targeted advertisements to children, the Draft White Paper’s online safety section aims to make the internet a safer place by including a prohibition of online advertising to children.
Contributors
Daniel Pretorius
Bowmans
Songezo Ralarala
Bowmans
John Paul Ongeso
Bowmans
Azraa Moyideen
Bowmans
Aneesa Valodia
Bowmans
Tasmika Barath
Bowmans
