← Back to blog

Children's and adolescents' data under Law 21.719: reinforced protection

A school that publishes photos of its students, an app that asks for a date of birth to create an account, an educational platform that logs every click of a seventh grader. All of them process children's and adolescents' data, and in every case the reasonable standard of care is higher than usual. This guide explains what reinforced protection for children and adolescents means and how to put it into practice before full enforcement of Law 21.719 begins on December 1, 2026.

Minors · Law 21.719

The essentials in 30 seconds

  • Children's and adolescents' data demands reinforced protection: they are particularly vulnerable data subjects and do not always understand the consequences of handing over their information.
  • The best interests of the child or adolescent is the criterion that must guide every processing decision, even when business convenience pushes in another direction.
  • In practice this means clear, age-appropriate information, consent management that accounts for the role of those responsible for their care, data minimization and reinforced security.
  • When processing may entail a significant risk to their rights, the reasonable course is to assess the impact through a DPIA and document the mitigation measures.
  • The first operational step is to identify and flag in the Record of Processing Activities (RoPA) every process involving minors.

Law 21.719, published on December 13, 2024 and fully enforceable from December 1, 2026, leaves behind the framework of Law 19.628 of 1999 and brings Chile closer to the European GDPR standard on which it is modeled. Under that standard, not all data subjects are in the same position: some people, because of their stage of development, need greater safeguards. Children and adolescents are the clearest case, and that is why their information calls for reinforced protection. If you want the full picture, start with our guide to the data protection law in Chile.

If your organization is a school, an educational platform, an entertainment app, a pediatric health provider or a brand that speaks to young audiences, this article affects you directly. And if you believe you do not process minors' data, it is worth checking: it appears more often than people assume, in enrollment forms, family benefit programs, medical records, contests and marketing databases.

Why minors' data receives special care

The reason is twofold and fairly intuitive. First, children and adolescents are particularly vulnerable data subjects: they depend on others, they have fewer tools to defend themselves against misuse of their information, and they carry the consequences of a decision made at eight or thirteen for far longer. Second, they do not always understand what they are handing over or what will be done with it. A teenager can accept a privacy policy in two seconds without having processed that they have just enabled an advertising profile that will follow them for years.

On top of this, a minor's information usually comes bundled with other delicate data: their academic performance, their family situation, their health, their behavior. A data point that would be unremarkable for an adult can, for a minor, reveal far more than it appears. That is why reinforced protection is not a formality: it is the recognition that the same processing generates a different risk depending on who the data subject is.

The practical consequence is that the standard rises. What might pass as acceptable when processing adults' data, for example a dense privacy notice, broad just-in-case collection or standard access controls, simply falls short with minors.

The best interests of the child or adolescent as a compass

The best interests of the child or adolescent is a principle recognized in international human rights law and firmly established in child protection. It operates as a guiding criterion whenever a decision affects a minor. Applied to data protection, it means that the well-being of the child or adolescent must outweigh the organization's commercial or operational convenience when the two come into conflict.

It is a criterion, not a box to tick. It forces you to ask, before launching a feature or adding a new field to a form: does what we are about to do benefit the minor, or only us? Does it open a door for them, or expose them? Would they understand what happens to their information if we explained it in their own words.

In practice, applying the best interests principle translates into very concrete decisions: turning off personalized advertising aimed at minors by default, not using design patterns that push them to share more information than necessary, avoiding public exposure of children's profiles, and not reusing school data for purposes unrelated to the educational process. When doubt persists, the reasonable answer is almost always the most protective one.

Who processes minors' data, even without realizing it

The universe is considerably wider than schools. Any organization whose product, service or database touches people under the age of eighteen is included, even if minors are not the paying customer.

A frequent and often overlooked case is the company that does not target minors but collects their data anyway. All it takes is a form that does not filter by age, or a parent enrolling their child in a benefit, for adults' and minors' data to coexist in your database with no distinction whatsoever. And if you cannot separate them, you cannot protect them differently either.

  • Schools and educational institutions: enrollment, student records, grades, attendance, behavioral notes, psychoeducational reports, photographs and videos of activities.
  • Educational platforms and edtech: student accounts, activity logs, progress metrics, content the student produces and, very often, detailed analytics of their behavior.
  • Apps, games and digital services: account registration, geolocation, device identifiers, chats, advertising and profiling.
  • Pediatric health: medical records, diagnoses, treatments and family history, which are also sensitive data and therefore combine both demanding standards.
  • Brands aimed at young audiences: contests, loyalty clubs, forms requesting a date of birth, mailing lists and social media campaigns.
  • People and benefits teams: data on employees' children in supplementary insurance, school allowances or family activities.

Clear information and consent management

Transparency is the first practical obligation, and with minors it carries an additional requirement: the information must be understandable to whoever receives it. A privacy notice written for lawyers informs no one, let alone a ten-year-old. Adapting the language to the reader's age is not a courtesy, it is what allows the information to serve its purpose.

That means different versions for different audiences: a brief, visual explanation in plain language for the minor, and a complete version for those responsible for their care. Both must say exactly the same thing, with no fine print that contradicts the summary.

As for consent, the key is not to treat it as a formality resolved with a checkbox. With minors you must account for the role of those responsible for their care, whether mothers, fathers, guardians or the educational institution depending on the context, and design the flow so that the authorization is genuine, informed and traceable. It is also worth being clear about when consent is not even the appropriate route: much school or health processing usually rests on other legal bases, and forcing consent where it does not belong only creates a false sense of compliance.

  • Explain the processing at two levels: an age-appropriate version for the minor and a complete one for those responsible for their care.
  • Avoid legal jargon, euphemisms and generic clauses along the lines of "improving our services."
  • Design flows that make visible the role of those responsible for the minor's care, and keep a record of when, how and for what purpose the authorization was granted.
  • Check that the legal basis you have chosen is the correct one: in school and health settings, consent is not always the appropriate ground.
  • Facilitate the exercise of ARSOP rights (Access, Rectification, Suppression or Cancellation, Objection and Portability) through a channel a guardian can use without friction.

Data minimization and reinforced security

The most effective way to protect a minor's data is not to hold it. The minimization principle, meaning collecting only what is necessary for a defined purpose, is demanding with any data subject, and with children and adolescents it becomes the first line of defense. Every additional field on a school form is a risk you take on for years, because school data tends to accumulate across a student's entire trajectory.

It is worth scrutinizing inherited practices: the student's national ID number in shared spreadsheets, lists with home addresses circulating by email, photographs published on social media without any criteria, historical backups nobody ever purges. The useful question is not who wants this data, but what happens if this data leaks.

On security, the standard must be consistent with the level of risk, and here the risk is higher. That means stricter controls than those applied to the rest of the operation, not the same ones.

  • Limit collection to the essential and define retention periods: school data should not live forever.
  • Restrict access by role: not all staff need to see a student's complete record.
  • Encrypt information in transit and at rest, and get the data out of loose spreadsheets and messaging groups.
  • Maintain traceability with audit logs that show who accessed what information and when.
  • Extend the standard to your suppliers: if a third party processes your students' or users' data, the controller-processor relationship must be formalized and controlled.

When to assess the impact (DPIA)

A Data Protection Impact Assessment (DPIA) is the exercise of anticipating the risks of a processing activity before launching it and documenting how you will mitigate them. When the processing involves children and adolescents and may entail a significant risk to their rights, assessing the impact is the reasonable decision, as well as a concrete demonstration of proactive accountability.

There are fairly clear signals that one is warranted: profiling or segmentation of minors, use of biometric data, systematic monitoring of behavior or progress, geolocation, large-scale processing on an educational platform, or the incorporation of artificial intelligence systems that make or support decisions about students.

A DPIA is not a document for the archive. Its value lies in when it is done: it forces you to examine the design before building it, to discard features that do not survive scrutiny, and to put in writing why the chosen alternatives are the least intrusive. Before the Personal Data Protection Agency, that traceability is what separates a diligent organization from one that improvises. And if something goes wrong, the duty to notify breaches also applies: the impact of an incident affecting minors' data is potentially greater, and the response must be rehearsed before it happens.

How to identify and flag them in the RoPA

The Record of Processing Activities (RoPA) is the inventory of what data you process, for what purpose, on what legal basis, with whom you share it and how long you retain it. It is the piece that holds everything else up: without a RoPA you do not know where minors' data is and, therefore, you cannot treat it differently.

The concrete task is to add an explicit flag to the RoPA for processing activities involving children and adolescents, in the same way sensitive data is flagged. That label is not decorative: it is what triggers the additional controls, prioritizes the DPIA and defines the level of security each process warrants.

From December 1, 2026 enforcement is full, and the Personal Data Protection Agency can impose fines of up to 5,000 UTM for minor infringements, up to 10,000 UTM for serious ones and up to 20,000 UTM for very serious ones, in addition to entering the sanctions in the National Register of Sanctions. With minors' data, however, the strongest argument is not the fine: it is that families' trust, once broken, is not recovered with a press release.

  • Walk through your processes and ask, for each one, whether the data subject could be a minor, even incidentally.
  • Add a minors field or label to the RoPA and cross-reference it with the sensitive data flag where applicable, for example in health or biometrics.
  • For each flagged processing activity, document the purpose, the legal basis, how the minor and those responsible for their care are informed, the retention period and the security measures.
  • Identify the processors involved, such as platforms, cloud providers, school photography companies or marketing agencies, and review their contracts.
  • Define who is accountable: if your organization has appointed a Data Protection Officer (DPO), processing involving minors should be permanently on their radar.

Does your organization process children's and adolescents' data?

At AlayIAtrust we help schools, educational platforms, health providers and brands identify their processing of minors' data, flag it in the RoPA, run Impact Assessments and raise the protection standard before full enforcement of Law 21.719. Let's talk about your case.

Schedule an assessment

Frequently asked questions

Why does children's and adolescents' data receive reinforced protection?

Because they are particularly vulnerable data subjects and do not always understand the consequences of handing over their information. The same processing generates a different risk depending on who the data subject is: a minor has fewer tools to defend against misuse and carries the consequences for longer. That is why the required standard of care is higher than the one applied to an adult, in line with the best interests of the child or adolescent and with the European GDPR standard on which Law 21.719 is modeled.

What do the best interests of the child or adolescent mean in data protection?

That the minor's well-being must guide every processing decision and outweigh the organization's commercial or operational convenience when the two come into conflict. It is not a box to tick but a criterion: before collecting a data point or launching a feature you must ask whether it benefits the minor or only the company. When in doubt, the reasonable option is the most protective one.

How is consent managed when the data subject is a minor?

With more care than in a standard flow. The information must be provided in clear language appropriate to the minor's age, and also in a complete version for those responsible for their care, whose role must be factored into the design of the flow. The authorization must be genuine, informed and traceable. It is also worth checking whether consent is the correct legal basis: much school or health processing usually rests on other grounds.

How do I identify and flag minors' data in the RoPA?

By walking through your processes and asking, for each one, whether the data subject could be a minor, even incidentally. Then you add an explicit label for those processing activities to the Record of Processing Activities, cross-reference it with the sensitive data flag where appropriate, and document the purpose, legal basis, retention period, security measures and processors involved. That flag is what triggers the reinforced controls and prioritizes the DPIA.

You may also be interested in

Sensitive data

Sensitive data under Law 21.719: what they are and how to protect them

Essential guide

Data Protection Law in Chile: the complete guide

Law 21.719

Law 21.719: the definitive guide to comply and avoid fines

Next step

Is your company ready
for December 2026?

A no-obligation 30-minute assessment.

Request an assessment