The General Data Protection Regulation (“the GDPR”) entered into force last year – in May 2018. With a lot of controversy circling around the new regulation, one of the most difficult questions is what the GDPR actually means for children’s rights.
As it is common with the GDPR, the text of the Regulation itself does not say much. Yet, we bear in mind that there are both businesses who intentionally and unintentionally target children on the internet.
One has to take into account that the GDPR has (as of the date of drafting the present article) very little regulatory build-out. There is almost no guidance, documentation or precedents which may assist in its interpretation. In that sense, the GDPR is unlike the Children’s Online Privacy Protection Act (the “COPPA”) in the United States of America. There, the Federal Trade Commission (the “FTA”) has already had the opportunity to issue guidance. There are also numerous enforcement precedents which establish how this legal instrument should actually be applied.
In that sense, what we can currently do is compare the two, bearing in mind they are still very different legislative initiatives. Yet, the COPPA may serve as a guidance of how both EU and non-EU businesses can facilitate compliance with the GDPR in relation to children’s rights.
The GDPR requirements in relation to children.
Article 8 of the GDPR addresses the “[c]onditions applicable to child’s consent in relation to information society services.” It refers to the processing of children’s data and prohibits such processing unless the child is “at least 16 years old”. If a child is less than 16 years of age, processing is only allowed if consent “is given or authorized by the holder of parental responsibility over the child.”
Businesses (both controllers and processors) are required to “make reasonable efforts to verify […] that consent is given or authorized by the holder of parental responsibility over the child, taking into account available technology.” And whilst the GDPR offers “advice” to parents and guardians, it does not actually suggest how processors and controllers can actually verify if such consent is actually duly given by such parent or guardian.
Yet similarly, the COPPA places an obligation on online service operators “to provide notice and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children.” The main difference one can see between the GDPR and the COPPA is that the latter offers unambiguous explanations of when a service is being offered to a child, who may give consent and how such consent may be received.
When are online services offered “directly to a child”?
Both the GDPR and COPPA speak about services offered “directly to a child” or respectively – “directed to a child”. However, there is one major difference in interpretation. COPPA refers to websites available to the public. Under it, an online service may be considered as “directed to a child” if it is “made available to all users without any age restrictions” and where, depending on the context, it may reasonably be suggested that its products are services are offered to children, including taking into account content and marketing plans.
As with COPPA, for a generally-available website, a service may be considered to be offered “directly to a child” when it is “made available to all users without any age restrictions” and where the site may reasonably be understood to target children, taking into account such factors as “site content” and “marketing plans.”
In that regard, however, the GDPR only applies to services that are “directly” offered to children. The United Kingdom Information Commissioner’s Office (the “ICO”) has unambiguously concluded that if an information society service “is only offered through an intermediary, such as a school, then it is not offered ‘directly’ to a child.”1. On the contrary, COPPA makes no such distinction and applies to any information society services used by children. Yet, a special set of rules (and exceptions) apply to services used by schools and allows schools to “replace” parents in providing consent for children to use certain information society services related to education.
The next part of this Article will look into what “reasonable efforts” controllers need to make in order to obtain consent and what does “consent” actually mean in the context of children’s rights. We will also look into some other differences between the two major instruments on the old and new continent – the GPDR and the COPPA. Stay tuned!