INTRODUCTION
In the digital age, the rate and duration of children's internet usage are steadily increasing. Although social media platforms and online games have become spaces for entertainment, learning, and socialization for children, they also carry significant risks in terms of personal data processing. Due to their limited capacity for abstract thinking, risk assessment, and understanding of data processing procedures, children are developmentally more vulnerable in digital environments.
The sharing of photos, videos, or personal information via social media, and the collection of user data or processing of location information through online games, pose considerable risks. These include the collection and dissemination of children's data without explicit consent, and its accessibility by third parties. Particularly, the sharing of children's data without parental knowledge or consent (e.g., sharenting) may result in serious violations of the child's right to privacy and data protection.
This article examines data processing activities conducted via social media and online games from the perspective of relevant legislation, decisions and bulletins of the Turkish Personal Data Protection Board ("the Board"), and international practices.
A. CHILDREN'S DATA UNDER THE TURKISH PERSONAL DATA PROTECTION LAW
The Law No. 6698 on the Protection of Personal Data ("PDPL") does not contain specific provisions solely applicable to children. Nevertheless, considering children's developmental characteristics and cognitive capacities, data processing concerning children requires heightened sensitivity. In particular, principles such as obtaining explicit consent, the obligation of information, and data minimization gain increased significance.
According to Article 3 of PDPL, personal data is defined as any information relating to an identified or identifiable natural person. Although children's data is not classified as "sensitive personal data," it nevertheless warrants special protection, as children have a greater right to data protection.
Under Article 10 of PDPL, data controllers are obliged to inform the data subject before processing activities begin. However, if the child is not of sufficient age or maturity to comprehend this information, a parent or legal guardian must intervene, ensuring that such representation is in line with the best interests of the child.
In accordance with Article 5, personal data may only be processed with the explicit consent of the data subject. The consent mechanism varies depending on the child's age and capacity to distinguish right from wrong. If a child is not mature enough to give consent independently, such consent must be provided by their legal representative, and must serve the best interests of the child.
The Board's Bulletin No. 5, April–July 2024, titled "Privacy in the Digital Age: Protection of Children's Personal Data," emphasizes:
- Implementation of effective age verification mechanisms,
- Customization of consent processes specifically for children,
- Restrictions on processing data for purposes such as advertising, personalization, and location tracking,
- Conducting data processing activities in accordance with the best interests of the child.
Additionally, it was underlined that children should be protected against practices such as behavioral profiling, location tracking, and targeted advertising, and that platforms must align such services with the child's dignity, health, and development.
B. CHILDREN'S DATA ON SOCIAL MEDIA: SHARENTING AND PRIVACY VIOLATIONS
Though not yet standardized in Turkish, the term "sharenting"—a portmanteau of "sharing" and "parenting"—refers to the act of parents regularly posting detailed content about their children's private lives on social media. The emergence of this term reflects the increasing frequency of such behaviour. An extension of this is "over-sharenting," which denotes excessive sharing of children's images, voices, and personal data.
While such sharing may stem from good intentions, it may violate the child's right to privacy. Such content could be misused by third parties or negatively affect the child's social life in the future. The July 2024 Board Bulletin noted that the prevalence of sharenting adversely affects children's digital footprints, emphasizing the need to raise awareness among parents.
Although PDPL does not explicitly regulate sharenting, this does not grant the holder of parental custody unlimited freedom to disclose the child's personal data. Data processing by parents must be limited by general principles of data protection law and child protection regulations.
Even if a lawful basis exists, personal data must be processed in a limited, proportional, and purpose-specific manner. Particular caution must be taken where the data does not serve any benefit to the child, and especially where it infringes the child's dignity or private life.
Furthermore, children who have reached the age of discernment, or who are legally adults, may consider such posts to be violations of their personal rights and request their removal. This falls within the "right to be forgotten," which encompasses control over one's digital past. For example, in a notable Italian case, a 16-year-old sued her mother for failing to remove photos shared without her consent. The court ruled that the mother must delete such content or pay €10,000 in damages if similar behavior is repeated in the future (See: BBC link).
C. ONLINE GAMES AND DATA SECURITY
Digital games are not only sources of entertainment but also spaces for social interaction, learning, and identity formation. However, due to the diversity of data collected and the nature of its processing, online games carry considerable risks regarding the security of personal data. Children, in particular, are more vulnerable due to their limited understanding of data processing mechanisms.
Online games often collect data such as age, location, friend lists, and interests from children. While this may serve to personalize gaming experiences, it is also used for advertising and marketing purposes. Through third-party SDKs (software development kits), user data may be transferred to external platforms.
Laws similar to the U.S. Children's Online Privacy Protection Act (COPPA) require stringent oversight of data processing in child-oriented applications in Turkey as well. Game features such as "chat" and "add friend" may lead to unintended disclosures of personal data, thus making it essential for platforms to enable tools such as private profiles, restricted access, and age-based content filters.
The "Symposium on Digital Games and Personal Data Protection" hosted by the Turkish Personal Data Protection Authority in April 2025 revealed that online games process data such as children's geolocation, IP addresses, device data, in-game behavior, preferences, and even audiovisual recordings. Elements such as chat, friend additions, and in-game purchases further complicate these data processes.
Digital game providers are required to comply with core principles of PDPL, such as transparency, purpose limitation, obtaining explicit consent, ensuring data security, and proportionality. Consent collection processes must be simplified and made comprehensible for children, taking into account their age and capacity. In line with the GDPR, determining a "digital age of consent" and requiring parental consent for users below this age has also been recommended by the Board.
Both parents and platform developers agree on the need for more effective digital age verification mechanisms. Instead of allowing users to simply declare their age, more reliable technologies for identity verification should be employed.
A forward-looking approach is the "Privacy by Design" principle, which calls for integrating data protection and children's rights into the software development lifecycle of digital games. Legal compliance must be accompanied by ethical responsibility, placing the child at the center of system design. Game providers are obliged to obtain explicit consent in a clear, understandable, and child-friendly manner.
D. CONCLUSION AND EVALUATION
The protection of children's personal data is not only a legal duty but also an ethical and societal obligation. Owing to their developmental stage, children are not capable of participating fully in data-related decisions and thus require special safeguards. Data processing through social media and online games can adversely impact children both physically and psychologically.
Although PDPL does not yet contain specific provisions tailored to children, the Board has sought to fill this gap through its decisions, bulletins, and guidance documents. These instruments clearly indicate the need for enhanced protection in digital environments and have provided direction to data controllers.
Alongside legal regulations, raising awareness among parents and educators, developing child-specific privacy policies by platforms, and strengthening the Board's guidance efforts are among the primary steps needed in this area.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
