The General Data Protection Regulation (“the GDPR”) entered into force last year – in May 2018. With a lot of controversy circling around the new regulation, one of the most difficult questions is what the GDPR actually means for children. Children’s rights under the GDPR have been subject to much discussions.
Previously, we looked into what the requirements relating specifically to children are and when online services are considered as being offered directly to a child. Yet, there are a number of other questions on the matter, which will be examined below.
What does taking “reasonable efforts” to obtain consent require?
One has to note that there is no specific definition of “reasonable efforts” in the GDPR with as much detail as there is in the COPPA. The United Kingdom Information Commissioner Office (hereinafter the “ICO”)asserts that the terms does not have a constant definition. On the contrary, the meaning of “reasonable” may be dependent on whether or not an individual has been properly identified as having given consent. The ICO suggests that “subscrib[ing] to a band’s e-newsletter” carries lesser risk than an offer made to a child to “post personal data via an unmonitored chat room”. It contends that the latter requires “more stringent means to verify the consent.”
The ICO, however, recognises that if an unnecessary amount of information for the purposes of consent is collected, this might be “unlikely to comply with the data protection by design approach in the GDPR.” Hence, this suggests that a controller shall collect just the right amount of information to obtain and verify consent without intruding into the individual’s personal data which is unnecessary for the performance of a given action.
The above might be seen as requiring businesses to thread through a needle. There is a tendency of companies employing the same consent-obtaining and verification methods which are used under the COPPA. This may include the verification of payment methods, proving certain age, such as requiring the provision of credit/debit card numbers. Yet, this may be seen as an intrusive approach under the GDPR solely for proving the age of an individual. It is essential that there is a balance of rights under the GDPR. Hence, other businesses employ less-invasive approaches, which might pose a greater risk for the verification of one’s age but less risk of potentially obtaining an excessive amount of information.
Yet again, there are no tailor-made solutions for companies under the GDPR. Our experienced legal professionals have the knowledge and practice to advise you on issues relating to the obtainment of consent. We therefore invite you to get in touch with us prior to commencing the collection of personal data through your online digital products.
What “consent” means?
As with the COPPA, the GDPR defines “consent” as an “informed consent”. Under the former instrument, consent must be obtained by using a direct notice of your digital service’s data protection practices. This builds on 16 CFR 312.4(c) of COPPA.
What other key differences exist between GDPR and COPPA?
The main difference between the GDPR and COPPA is that the latter offers a self-contained regulatory approach to how the data of children shall be controlled and protected. This is despite the fact that certain states, for instance California, provide for a stricter child data protection mechanism. On the contrary, Article 8 of the GDPR contain provisions that specifically address children, whilst all other rules and protections offered under the Regulation are also applicable. That said, this is in addition to any other more specific rules relating to children data protection established by the Member States. In that sense, one has to note that Article 8 is only a part of the “rights under the GDPR” riddle. Despite the fact that COPPA can be used as a guiding instrument, that offers useful analogies, offering internet services to children that reside in the EU requires a comprehensive methodology in creating a uniform platform which takes into consideration the way children are distinguished from other data subject but also the means through which all GDPR data subjects are protected.