Children’s rights under the GDPR and the COPPA (Part 2)

Children's rights under the GDPR who need to provide consent to a Privacy Policy Consumer Protection

Children’s rights under the GDPR and the COPPA (Part…

Children's rights under the GDPR who need to provide consent to a Privacy Policy

The General Data Protection Regulation (“the GDPR”) entered into force last year – in May 2018. With a lot of controversy circling around the new regulation, one of the most difficult questions is what the GDPR actually means for children. Children’s rights under the GDPR have been subject to much discussions.

Previously, we looked into what the requirements relating specifically to children are and when online services are considered as being offered directly to a child. Yet, there are a number of other questions on the matter, which will be examined below.

What does taking “reasonable efforts” to obtain consent require? 

One has to note that there is no specific definition of “reasonable efforts” in the GDPR with as much detail as there is in the COPPA. The United Kingdom Information Commissioner Office (hereinafter the “ICO”)asserts that the terms does not have a constant definition. On the contrary, the meaning of “reasonable” may be dependent on whether or not an individual has been properly identified as having given consent. The ICO suggests that “subscrib[ing] to a band’s e-newsletter” carries lesser risk than an offer made to a child to “post personal data via an unmonitored chat room”. It contends that the latter requires “more stringent means to verify the consent.”

The ICO, however, recognises that if an unnecessary amount of information for the purposes of consent is collected, this might be “unlikely to comply with the data protection by design approach in the GDPR.” Hence, this suggests that a controller shall collect just the right amount of information to obtain and verify consent without intruding into the individual’s personal data which is unnecessary for the performance of a given action.

The above might be seen as requiring businesses to thread through a needle. There is a tendency of companies employing the same consent-obtaining and verification methods which are used under the COPPA. This may include the verification of payment methods, proving certain age, such as requiring the provision of credit/debit card numbers. Yet, this may be seen as an intrusive approach under the GDPR solely for proving the age of an individual. It is essential that there is a balance of rights under the GDPR. Hence, other businesses employ less-invasive approaches, which might pose a greater risk for the verification of one’s age but less risk of potentially obtaining an excessive amount of information. 

Yet again, there are no tailor-made solutions for companies under the GDPR. Our experienced legal professionals have the knowledge and practice to advise you on issues relating to the obtainment of consent. We therefore invite you to get in touch with us prior to commencing the collection of personal data through your online digital products.

What “consent” means?

As with the COPPA, the GDPR defines “consent” as an “informed consent”. Under the former instrument, consent must be obtained by using a direct notice of your digital service’s data protection practices. This builds on 16 CFR 312.4(c) of COPPA.

Unlike the COPPA, however, the GDPR does not offer any such level of specificity. It gives less ambiguous information on the prerequisites for consent-based data processing. Yet, this does not mean the rights under the GDPR are less. Conditions for consent are contained in Recital 32 and Article 7 of the GDPR. The former seeks specific, informed, and unambiguous” from data subjects but only on the condition that there is a “clear, concise, and not unnecessarily disruptive” Privacy Policy notice, which shall elaborate on what data a given business collects, for what purposes and how it is to be processed.

Subsequently, COPPA offers practical guidance. The underlying principles that are used to draft a Privacy Policy and notice under COPPA can also be utilised to inform about “consents” received for the purposes of complying with the GDPR. In that sense, both instruments emphasise on (i) what personal data is collected; (ii) how it is used, (iii) if and when it may be disclosed; (iv) how data subjects can access, amend or delete such data; and (v) the means undertaken to protect personal data. Here, the GDPR imposes more concrete requirements (i.e. in relation to changing and deleting personal information). Yet, the COPPA still remains a useful guidance when assessing GDPR compliance.  

What other key differences exist between GDPR and COPPA?

The main difference between the GDPR and COPPA is that the latter offers a self-contained regulatory approach to how the data of children shall be controlled and protected. This is despite the fact that certain states, for instance California, provide for a stricter child data protection mechanism. On the contrary, Article 8 of the GDPR contain provisions that specifically address children, whilst all other rules and protections offered under the Regulation are also applicable. That said, this is in addition to any other more specific rules relating to children data protection established by the Member States. In that sense, one has to note that Article 8 is only a part of the “rights under the GDPR” riddle. Despite the fact that COPPA can be used as a guiding instrument, that offers useful analogies, offering internet services to children that reside in the EU requires a comprehensive methodology in creating a uniform platform which takes into consideration the way children are distinguished from other data subject but also the means through which all GDPR data subjects are protected.

CREATE YOUR GDPR PRIVACY POLICY

Lege Nova
Lege Nova offers you the easiest way to avoid huge legal fines and to be fully compliant with your online legal obligations. Our legal experts know the law and how it applies to the challenges of the digital era. Both our individually drafted and generated legal documents, will raise your profits, elevate your customers' experience and limit potential disputes to the minimum.

Leave a Reply

Your email address will not be published. Required fields are marked *