On March 2, 2022, following a fast-track legislative process in the French National Assembly and Senate, President Macron of France signed into law a new piece of legislation designed to reinforce parental controls over minors’ access to the Internet (the “Law”) (see final text of the Law published in the Official Journal here, in French).

The Law will apply primarily to manufacturers of devices that enable minors to access online services and content likely to harm [their] physical, mental or moral development” (e.g., computers, smart phones, and tablets).  The Law – which extends only to devices sold with an operating system (e.g., PCs, mobile phones, tablets, smart TVs) – requires manufacturers of such devices to provide a pre-installed parental control system which can be activated by parents or guardians upon first use.  The installation, use, and (where applicable) uninstallation the system must be provided to end users at no additional cost.

In addition to the requirements above, the Law explicitly prohibits the use of personal data of minors collected or generated by the parental control system for commercial purposes, such as direct marketing, profiling or targeted behavioral advertising.  This prohibition will remain in effect even after the minor reaches the age of majority.

Moreover, while device manufacturers are the primary focus of the Law, certain obligations will apply to other actors as well (e.g., providers of operating systems, importers, distributors, and second-hand vendors).  This includes an obligation to certify (or verify existing certification) that devices include the parental control system before placing them on the market.

The Law further specifies that the French Government will, after consulting with France’s Council of State and Supervisory Authority (“CNIL”), issue a decree to clarify how certain aspects of the Law are to be implemented in practice.  This decree should specify, in particular:

  • the minimum functionalities and technical characteristics of the parental control system;
  • the means implemented by the manufacturer to facilitate the use of this system;
  • the conditions under which the competent authority may restrict or prohibit placing any device on the market which presents a risk or non-compliance, as well as conditions under which the competent authority may recall or withdraw such device;
  • how manufacturers can help raise awareness on the risks associated with the use of online public communication services by minors, the early exposure of children to screens, and the means of preventing these risks.

The date upon which the Law enters into force, as well as any transitional provisions (e.g., a grace period to allow for implementation), will also be determined by the forthcoming decree.

This Law is part of France’s broader efforts to better protect minors from inappropriate contents online.  This is a hot-topic in France and we are also seeing French regulators take action on the basis of existing legal provisions (e.g., Article 227-24 of the French Criminal Code, which makes it an offence to have a pornographic message seen or perceived by a minor).  By way of illustration, France’s Regulatory authority for audiovisual and digital communication (“Arcom”) reportedly announced on March 8, 2022 that it has taken legal action to demand the blocking of five pornographic sites, after these sites failed to comply with the Arcom’s order to prevent minors from accessing their content.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Alix Bertrand Alix Bertrand

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix…

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix is a member of the Paris and Brussels Bars.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.