Lawmakers have long recognised that children need special treatment when it comes to data and how it’s used. And as we’d expect, the EU’s new data protection framework, The General Data Protection Regulation (GDPR) includes several important provisions relating to children.
From websites through to IoT-connected smart toys, if you process the personal data of children within the EU, it’s important to find out how these new rules affect your organisation.
Especially when it comes to the minimum age for accessing services, the default setting for children’s data protection came from a piece of US Federal legislation, The Children’s Online Privacy Protection Act (COPPA). As we see from the likes of the Apple and Google app stores and most social networks, unless a particular jurisdiction has stricter rules in place, then COPPA is regarded as the rulebook to follow.
That said, it’s important to remember that COPPA is concerned mostly with consent and parental permission. GDPR is much wider in scope, ushering in new requirements in areas such as subject access rights and data governance.
So let’s say you run an online service and your user base includes minors in both the US and EU. To be compliant, you will need to ensure that you stay on the right side of COPPA and the GDPR. Here’s a closer look at both pieces of legislation, together with guidance on how to get compliance right.
COPPA: the essentials
First brought into force in 1998 and since updated to reflect changing technologies, COPPA sets out obligations on organisations that collect and use data from children. In very simple terms, where a company collects personal information from a child under the age of 13, COPPA demands that you seek parental consent.
COPPA covers online services operated for “commercial purposes” – so, for instance, a non-profit organisation offering free interactive information services would likely be exempt. Websites, apps, connected toys, internet-enabled location-based services and gaming platforms (to name just a few) are all covered. COPPA also recognises that a service can still be “commercial” in nature – even if that service is free at the point of use.
Even though this is an American law, the Federal Trade Commission (FTC) has made it clear that it will apply to foreign Websites or services where those services “are directed to children in the US or knowingly collect information from children in the US”.
Key aspects of COPPA include the following:
- Scope. The law covers not just dedicated kids’ platforms but also services with a general audience where the owner is aware that data is being collected from children under the age of 13.
- Verifiable parental consent. This needs to be obtained before the collection, use or disclosure of personal data relating to children under 13.
- Security. There’s a general requirement to maintain “reasonable” measures to protect this data.
This FTC 6-step compliance guide is designed to help businesses establish whether they are covered by COPPA – and what they need to do to comply.
GDPR and children’s data
COPPA is a relatively “short & sweet” piece of US legislation covering a handful of distinct areas. GDPR looks very different. Replacing the old Data Protection Directive, it provides a complete security and protection framework for the processing of EU residents’ personal data – both online and offline.
GDPR applies to organisations that control or process the data of EU residents, wherever they are based. For foreign organisations without a physical presence in the EU and who process personal data in connection with “offering goods and services”, it may be necessary to nominate an EU representative. You can read more about this here.
If your product or service offering is squarely child-focused, there are specific child-related provisions to follow (relating to consent, for instance). But at the same time, you’ll need to get to grips with all aspects of GDPR. For this, our resources section provides a handy overview.
Obtaining parental consent
GDPR doesn’t set a single universally-applicable age at which children can decide for themselves whether to use an online service. Instead, it gives the Member States the power to choose their preferred nation-wide age of data consent between 13 and 16.
Most EU countries (including the UK) set this age at 13 (taking the lead from the COPPA rules). But there are exceptions to this; for instance, in Spain, the age is 14 and in The Netherlands, it’s 16. If you are offering your service in areas where the age is higher, you’ll need to set regional appropriate variations on your platform.
So if you offer an online service, there are two broad approaches to take:
Where your offering is not designed for younger children (e.g. an app for older teenagers), you should make reasonable efforts to ensure that anyone providing their consent is at least 13 years old. At the very least, you should ask them to specifically confirm that they are 13 or over at the sign-up stage.
Where you do wish to attract a younger audience (e.g. games for very young children), you need to obtain parental consent – and this includes taking reasonable steps to ensure that the person providing consent has parental responsibility for the child in question. The FTC’s COPPA guidance is actually a lot more descriptive than GDPR on what these reasonable measures might consist of, citing the provision of debit card details, “knowledge-based challenge answers” and verification of official ID (among other possibilities) as examples.
Under the GDPR, you are required to provide data subjects with clear, straightforward information on how you use their data. Crucially, this needs to be easily understood by your intended audience. So if, for instance, your lifestyle app is used by 15 year-olds, you’ll need to ensure that the info you provide is going to make sense to that demographic. You can find out more about what needs to be included in privacy notices here.
As for obtaining parental consent for children under 13, COPPA and the GDPR are broadly in line with each other. COPPA demands that you give parents “direct notice” of your information practices, set out what personal data you want to collect and your purpose for wanting to collect it.
Likewise, if you follow GDPR rules on making it possible for data subjects to withdraw their consent easily, to gain access to data and to request data deletion, you are, in effect, in compliance with both sets of law.
Want an easier way of staying on top of your compliance obligations? The Privacy Compliance Hub offers a complete solution for GDPR compliance. To find out more, ask for a demo, or call for a chat today.