Children's data: verify age and parental consent

Related rules

From the same buckets as this rule.

• Critical

  Deletion requests: anonymize or hard-delete PII irreversibly

  On LGPD deletion, remove or irreversibly anonymize PII and purge dependent caches. Keep minimal audit metadata (timestamp, request ID) not linkable back to the subject.

  compliance-lgpdmigrations-backward-compat+1
• Critical

  Encrypt PII at rest with AES-GCM and managed keys

  For fields like CPF, birth_date, and address, use AES-256-GCM with envelope encryption. Keys must come from a managed KMS; rotate data keys at least annually and store key IDs with the ciphertext.

  compliance-lgpdsecurity-hardening
• Critical

  Require explicit consent before processing sensitive data

  Before handling sensitive personal data (e.g., health, biometric), verify a valid consent record and attach its ID to the processing context. Provide a path to revoke consent and stop further processing.

  compliance-lgpdapi-conventions+1