Protecting children’s data online must come to the forefront of GDPR enforcement following violations of child privacy online.
It has been a year since the General Data Protection Regulation (GDPR) came into force. Last May we saw businesses scrambling to get their houses in order realising the hefty fines they could face and others burying their heads in the sand. Violations for non-compliance can result in penalties up to four per cent of the organisations worldwide revenue or €20 million, whichever is greater.
GDPR: a year in review
Cisco’s latest data privacy benchmark study assessed how prepared organisations are for GDPR, and how the new regulations, are affecting them. A total of 59 per cent of companies report they are meeting all or most of GDPR requirements today, with another 29 per cent expecting to get there within a year. The top challenges to getting ready for GDPR were identified as data security, employee training, and keeping up with the evolving regulations.
In the first year, we have seen large scale data breaches reported. An organisation must report data breaches to their data protection authority within 72 hours. A new report from DLA Piper indicates 59,430 data breaches have been reported to EU supervisory authorities since the GDPR compliance deadline of 25 May 2018. The majority of the data breaches have been reported in the Netherlands (15,400), Germany (12,600), and the United Kingdom (10,600). According to the European Commission 40,000 data breach notifications were reported to data protection authorities (DPAs) across the EU; and there were 90,000 complaints from EU citizens from May 2018, when the regulation came into force, to January 2019.
The largest fine issued was €50,000,000 to Google for failing to gain valid consent for processing data by France’s data protection regulator, CNIL. CNIL said that the fine was issued because Google failed to provide enough information to users about its data consent policies and did not give them enough control over how their information is used. To date, only a relatively small number of fines have been issued in relation to data breaches. Many supervisory authorities are struggling with the volume of breach notices they have received and there is a considerable backlog to get through. Some data breaches reported in 2018 may still result in fines.
Children and GDPR
The protection of children’s data online has not been in the spotlight to date, but that does not mean it is not coming. Actions against companies for violations of children’s online privacy have been mainly under the US Children’s Online Privacy Protection Act regulation (COPPA) in the past few months, such as the case of popular app Tik Tok fined $5.7 million (€5.08 million) for improperly collecting children’s data. This is set to change. The European Data Protection Board (EDPB), an EU body that works to help ensure that data protection law is applied consistently across the EU, announced its work plan for the next two years and has listed the guidelines it will adopt. These include adopting guidelines on children’s data. These guidelines will carry weight when it comes to enforcing the GDPR with respect to children. In addition, the Information Commissioner’s Office (ICO), the UK DPA, has been working on an Age Appropriate Design Code that should be released soon.
There are a number of key areas to address when processing children’s data. These include consent, the rights of the child and privacy notices.
Privacy notices for children
- Privacy notices must be appropriate for the age of the child and inform them of their right to have personal data erased.
- Write your privacy notice in clear, simple language so it is easy to understand.
- Use child-friendly ways of communicating such as videos, diagrams, cartoons, or icons.
- Explain simply why you need the personal data you’ve asked for and what you plan to do with it.
- Explain what rights the child has and how to action them.
Meaningful and informed consent
Article 8 of the GDPR states conditions applicable to children’s consent in relation to information society services. Children under 16 merit specific protection, which includes adopting measures to verify a child’s age and managing meaningful and informed consent. The GDPR has set the age of consent at 16, meaning users 15 years and younger need parent consent where applicable. However, Member States were able to voluntarily adopt a younger age of consent as low as 13. Children have the same rights as adults regarding their personal data. These include the rights to access their personal data; request rectification; object to processing; and to have their personal data erased.
Developers will need to prove that consent is valid, that it is informed and granular; and that they have methods in place to allow parents to exercise their rights in relation to their children. The controller is also required, under Article 8(2) of the GDPR, to make “reasonable efforts” to verify that consent has been given or authorised by the holder of parental responsibility in light of available technology. Understanding the lawful basis for processing personal data of a child is key. This may require parents’ dashboards or a parent portal to allow for the management of consent and revocation.
The GDPR does not specify what specific mechanisms for age verification and parental consent are required; and guidance from the data protection authorities calls on industry to come up with creative solutions. What will and will not qualify as “reasonable efforts” by data controllers to confirm age-appropriate consent remains to be seen and tested. Many organisations do not have the resources to build consent management tools and existing solutions are few and far between.
The “buy or build” question is always difficult to answer; and it is far too easy to make the wrong choice. If your company has an in-house development team, there may be the push to build privacy platforms because they can theoretically satisfy all needs. However, from PRIVO’s experience, building your own registration, consent and identity verification platform is not as easy as it may appear, nor as cost effective in the long run. Working with PRIVO will get a business to market faster, whether you are using PRIVO’s APIs and SDKs or leverage PRIVO’s widgets in the PRIVO domain; and will require minimal domain expertise investment.
Online services which process children’s personal data need to take the necessary steps to be GDPR ITkids™ compliant or risk a hefty penalty, brand damage and a loss of trust and integrity.
Things to keep in mind:
- If you are a US based company, but process the data of children in the EU, the GDPR applies to your business.
- Ensure you are jurisdictionally aware. Different national rules regarding processing exist for a reason. Just because a service is COPPA compliant it doesn’t mean it is also GDPR compliant.
- Provide clear, child-friendly notices explaining data practices
- Ensure you can justify your lawful basis for processing data, whether it is consent or legitimate interest.
- Don’t just rely on legitimate interest as an “easy way out” when consent is required.
Thinking of building your own age verification & permission management platform? Consider these four areas carefully before you make a decision.
Can you build and maintain a regulatory based solution to protect your young consumers?
- To be compliant with the GDPR, you will need to factor in building a jurisdictional age gate with multiple verification methods.
- Regulations can be complicated and will continue to evolve.
- Building your own complaint age verification and permission platform is risky. If strict guidelines are violated, hefty fines may be imposed.
Are you getting the best ROI (return of investment) for your effort?
- Identity verification isn’t as simple as a credit card.
- Integration with an existing platform is a different process than developing a new application.
- You will need to have an expert to help you with your flows to make sure they are compliant.
- You will want an interoperable platform that can easily scale.
- Whatever you build, you will need to invest in continued research and development to keep up with market expectations and competitors.
What does it really cost?
- Although the internal solution may be perceived to be the least expensive alternative, this is not always the case, especially if the total cost of development and maintenance is included. Your business would be creating a new product, not a feature to an existing product. This may become costly not only financially, but with time as well. This is not just about counting IT people costs. Total cost accounting will develop an honest picture of what it takes to develop.
Do you know the benefits of working with a neutral third party and children’s online privacy expert?
- Under the GDPR, a neutral 3rd party can collect and store for your organisation which supports requirements for data minimisation and security.
- The experience a third party can bring, like PRIVO, has a team composed of online privacy, safety, youth and media experts, who have first-hand experience with the regulatory challenges facing the industry. As a result, PRIVO developed solutions and best practices to overcome those hurdles and is continually working on improving messaging and tactics for obtaining parental consent.
Compliance with the GDPR may require substantial shifts in the processes and technologies companies use to manage information. In the long run, it is an opportunity to provide transparency and trust with your end user.
PRIVO is the leading global industry expert in protecting children’s privacy online and delegated consent management. As an FTC approved COPPA Safe Harbour since 2004, certifying hundreds of apps, sites and games which are top performing and well-known kid brands, PRIVO has been developing privacy solutions to empower positive, transparent and secure online relationships between companies, families and schools. PRIVO’s signature Kids Privacy Assured Program helps companies navigate the online privacy landscape from COPPA, GDPR to the numerous student digital privacy laws in addition to offering compliant technology solutions that include youth registration, age verification, parental consent and account management.
Denise G Tayloe
+1 (0)703 932 4979