The pervasiveness and the allure of the internet continues to hold sway and wax stronger amongst different age groups, more so with the younger generation. A huge outcome of this, is the readiness of a number of users in sharing their personal data on various platforms. One of the rising challenges amidst all this, is children’s data, studies have shown that more than 83% of children will have regular access to a smartphone in their pre- and early teens. Business organisations unknowingly sometimes are therefore exposed to processing the data of a child for several purposes, whether commercial or administrative. In view of this, it is important that the right privacy principles are adopted when dealing with child data. This instalment of ALN Nigeria’s Privacy Please series will examine the provisions relating to the protection of child data under Nigerian law and offer guidance to business organisations.

18 September 23

Processing Personal Data of a Child
Prior to the enactment of the Nigeria Data Protection Act (NDPA) 2023, the processing of the personal data of a child was primarily regulated by the Nigeria Data Protection Regulation (NDPR) and its Implementation Framework. For the purposes of the NDPR, a child was categorised as a person below 13 years of age. Data controllers or processors whose processing activity targeted children were required to ensure that their privacy policy is made in a child-friendly form with the aim of making children and their guardians have a clear understanding of the data processing activity before granting consent. Under the NDPR, information relating to a child is to be provided in writing or by other means, including electronic means where appropriate.

However, the NDPA has established a new regime with respect to the processing of personal data belonging to a child and persons lacking legal capacity.

Age – The NDPA increases the age requirement for data protection purposes. A child is now considered as any person below 18 years of age a significant increase from the provisions of the NDPR highlighted above

Consent – Whilst the NDPR and its Implementation Framework were silent on whom to obtain consent from, the NDPA explicitly states that a data controller shall obtain the consent of the parent or legal guardian, as applicable. However, this consent will not be required where:

  1. It is necessary to protect the vital interests of the child or person lacking the legal capacity to consent;
  2. It is carried out for purposes of education, medical, or social care, and undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality; or
  3. It is necessary for proceedings before a court relating to the individual.

Protection – The NDPA provides an additional layer of responsibility on data controllers as it requires them to apply appropriate mechanisms to verify age and consent, taking into consideration available technology. For this purpose, the presentation of any government-approved identification document is deemed as an appropriate mechanism.

Finally, the NDPA authorises the Nigeria Data Protection Commission (NDPC) to make regulations for the protection of children that are 13 years and above in relation to the provision of information and services by electronic means at the specific request of the child. This means that we should expect specific guidelines from the regulators specifically as it relates to the processing of data from children in the aforementioned age group (13 years and above but below 18) via the internet and other electronic means.

The above provisions clearly show that the NDPA has given significant attention to the processing of child data. It goes further to state that nothing within the Act shall be construed as authorising data processing in respect of a child in a manner that is inconsistent with the provisions of the Child’s Right Act.

Should you have any questions regarding this legal alert do not hesitate to contact Sumbo Akintola.


Emmanuel Ido – Associate