The Tooth Fairy & the General Data Protection Regulation (GDPR)

The magic of biometric data

The Problem


In essence, the Tooth Fairy swaps baby teeth for hold hard cash — a 2013 survey by Visa, Inc. found American children receive on average $3.20 USD per tooth, and with 20 baby teeth per typical mouth thats $64 USD per child.

Problem Statement

The Tooth Fairy unlike Santa does not appear to have a large supporting organisational structure and pending activities with the acquired teeth (more on that later) we can probably assume the Tooth Fairy has a fence.

  • date of birth (with calculated age)
  • current address
  • local currency denomination
  • calculated score on when baby teeth are due to fall out — this presents some interesting work in progress management!
  • parental/guardian information (might even so far as to salary information to determine fair value in context)
  • once the first tooth has been collected from a Data Subject, one could argue biometric data is now being held

Problem Scope

For simplicity, we will de-scope the privacy concerns stemming from actually visiting the property and entering it without being explicitly invited by an authorised person — unlike Santa, who only leaves presents (perhaps consuming milk/cookies) the Tooth Fairy does remove items from the property but arguably in exchange for fair value so this isn’t considered ‘breaking & entering with petty theft’.

GDPR Compliance


These are in no way exhaustive and I am not a [privacy-specialist] lawyer. I would urge Ms Fairy to retain an appropriately capable and experienced GDPR professional and engage a privacy-specialist legal firm.

Bite-sized chunks

I’ll review her GDPR position based on the GDPR core requirements. This is summarily what she could be doing, or at least what I hope she in place, and this will take her through to being somewhat aligned with GDPR’s core principles under a proportionality banner.

What data is being held?

We’ve covered this above, I think she has a pretty good grasp on the information she has.

What are the conditions for processing?

Article 6 provides some core options:

  • (1)(a) — consent
    this cannot apply as Ms Fairy does not obtain consent from Data Subjects (or more likely, parents/guardians on their behalf)
  • (1)(b) — contract
    there is a promise (leave shed tooth under pillow) and exchange of value (tooth will be replaced with money)
  • (1)© — legal obligation
    Ms Fairy may be under a legal obligation but this has not been identified
  • (1)(d) — vital interests
    I would argue the Data Subject has no further use for the tooth but a small sum of money is not in their vital interest
  • (1)(e) — public interest task or vested authority
    Ms Fairy is not a recognised public body and the task itself is carried out on an individual basis — but I could argue the overall activity is in the wider public interest
  • (1)(f) — legitimate interests
    the legitimate interests of the third parties (parent/guardian’s) is likely more legitimate than Ms Fairy’s own, as one cannot exercise a legitimate interest which implies one-sidedness when there is an exchange of value

Where the data is being held

Offshore through the Google Cloud Platform. Compute and App Engines are used to crunch the data sitting in Bigtable.

Who has access to the data?

The Tooth Fairy appears a lone wolf so as a sole trader only she has access to her data — or the Google Cloud support staff when she needs query optimisation assistance and permits Professional Services to get access to theaccount/data.

Who is responsible for the data?

With the Ms Fairy as a sole trader she is registered as a Data Controller as an individual.

That the data is up to date and needs to be kept

Like Santa, Ms Fairy likely gets her data from governmental records (registering a birth workflows etc) and there may well be entirely legal data sharing agreements in place to allow this to happen.

That processing information is conveyed

Article 13 does not appear to apply (I have not been able to identify government privacy notices including the Tooth Fairy) so she is also very likely in contravention of Article 14 as to my knowledge there is no published or readily available privacy notice conveying processing information.

What security is in place to protect the data?

As a single sole trader Ms Fairy is likely in complete control of her data having leverage the Google Cloud Platform and multi-factor authentication using a Yubikey.

Data subject rights (Articles 12 to 23)

Ms Fairy does not typically receive communiqué from Data Subjects or their representatives so Data Subject rights are rarely exercised as a result.


Ms Fairy’s GDPR compliance is opaque but on balanced probability is likely less problematic than Santa’s non-compliance given a clear exchange of value and lack of underlying organisation (staff).


My recommendations to Ms Fairy are:

  • engage in a proportional review from a high-level data protection/compliance perspective (starting with GDPR then into other requirements from other jurisdictions)
  • take a far more transparent approach by publishing a privacy notice
  • include a brief leaflet with each exchange explaining where Data Subjects (or parents/guardians on behalf of) can go to view data, request it be updated (including providing notice of moving home) and the contact details for where to send general data protection queries and complaints.
  • ensure the leaflet is printed on magic paper (perhaps sharing the same printer as Santa to save ink costs) so the complaints section dynamically conveys the Data Subject’s local data regulator and changes language and phrasing to ensure it is plain language (in the local language) to ensure it is understood.
  • take proportional process and technical security steps to protect data in and to/from Google Cloud, particularly on the macOS device which should have a separate one purchased for personal use



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store