From websites through to IoT-connected smart toys, if you process the personal data of children within the EU, it’s important to find out how these new rules affect your organisation.
Especially when it comes to the minimum age for accessing services, the default setting for children’s data protection came from a piece of US Federal legislation, The Children’s Online Privacy Protection Act (COPPA). As we see from the likes of the Apple and Google app stores and most social networks, unless a particular jurisdiction has stricter rules in place, then COPPA is regarded as the rulebook to follow.
That said, it’s important to remember that COPPA is concerned mostly with consent and parental permission. GDPR is much wider in scope, ushering in new requirements in areas such as subject access rights and data governance.
So let’s say you run an online service and your user base includes minors in both the US and EU. To be compliant, you will need to ensure that you stay on the right side of COPPA and the GDPR. Here’s a closer look at both pieces of legislation, together with guidance on how to get compliance right.
COPPA: the essentials
First brought into force in 1998 and since updated to reflect changing technologies, COPPA sets out obligations on organisations that collect and use data from children. In very simple terms, where a company collects personal information from a child under the age of 13, COPPA demands that you seek parental consent.
COPPA covers online services operated for “commercial purposes” – so, for instance, a non-profit organisation offering free interactive information services would likely be exempt. Websites, apps, connected toys, internet-enabled location-based services and gaming platforms (to name just a few) are all covered. COPPA also recognises that a service can still be “commercial” in nature – even if that service is free at the point of use.
Even though this is an American law, the Federal Trade Commission (FTC) has made it clear that it will apply to foreign Websites or services where those services “are directed to children in the US or knowingly collect information from children in the US”.
Key aspects of COPPA include the following:
- Scope. The law covers not just dedicated kids’ platforms but also services with a general audience where the owner is aware that data is being collected from children under the age of 13.
- Verifiable parental consent. This needs to be obtained before the collection, use or disclosure of personal data relating to children under 13.
- Security. There’s a general requirement to maintain “reasonable” measures to protect this data.
This FTC 6-step compliance guide is designed to help businesses establish whether they are covered by COPPA – and what they need to do to comply.
GDPR and children’s data
COPPA is a relatively “short & sweet” piece of US legislation covering a handful of distinct areas. GDPR looks very different. Replacing the old Data Protection Directive, it provides a complete security and protection framework for the processing of EU residents’ personal data – both online and offline.
GDPR applies to organisations that control or process the data of EU residents, wherever they are based. For foreign organisations without a physical presence in the EU and who process personal data in connection with “offering goods and services”, it may be necessary to nominate an EU representative. You can read more about this here.
If your product or service offering is squarely child-focused, there are specific child-related provisions to follow (relating to consent, for instance). But at the same time, you’ll need to get to grips with all aspects of GDPR. For this, our resources section provides a handy overview.