GDPR And Children's Data: What Brands Need To Know
Collecting data from children is already subject to legislation in the United States. But as GDPR comes into effect, there are certain provisions brands that work with children's data need to pay attention to.
Age of consent changes
Under GDPR, “processing of the personal data of a child” is only allowed by law when the child is at least 16 years old. If a child is under 16 years of age, companies must obtain consent from the child's parent or legal guardian to collect and process their data. Any collection of data from children under the age of 13 is prohibited.
The United States' current Children's Online Privacy Protection rule (COPPA) allows for organizations to begin collecting data without parental consent at age 13. This means that brands collecting data may need to expand their current consent obligations to include children up to age 16.
Brands who seek consent must also “make reasonable efforts” to verify that parental consent is valid. However, it does not explicitly state how organizations are supposed to do this, only that it must be done by “taking into consideration available technology.”
Notably, GDPR also states that any privacy notice from organizations looking to collect data directly from a child must write their privacy notice in a way that is clear and easy to understand for children.
“Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.”
This is where some brands need to take notice – and another look at how their privacy policies are worded. In general, privacy policies need to be written in such a way that makes them accessible to potential users – which can already be a challenge if jargon and legalese is used.
Brands need to consider how certain policies are explained when speaking to a child. In these use cases, it's not just making the copy appropriate for general audiences – it's for an audience that may not have as clear of an understanding of their rights.
Protection of data
Generally, GDPR stresses the importance of clarification when data collection is being used for the purpose of marketing or advertising:
“This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising.”
As we said earlier this week, companies that host third-party advertisers or collect “personal data” from EU audiences need to ensure that users opt-in before that data is collected.
In the United States, there are already measures that organizations collecting data from children need to follow in order to protect children from third-parties that may not have as stringent policies in place.
Keeping advertisers at 'arm's distance'
Recently, concerns over child data protection came to light after the release of Facebook's Messenger Kids app, which is recommended for children as young as six years old. Facebook asserts they are compliant under COPPA because parents are required to manage accounts for their children. But how the data collected from the app and shared with third-party vendors is still ambiguous.
Storybooth, a company that turns user-submitted stories into animated video, regularly collects data from minors.
“We have an extremely hard line against third parties getting access to them through what we can control,” Paul Beck, CMO, said. “On YouTube for example, we are about to pass a million subscribers with whom we are extremely engaged with from a notification, content consumption, conversation and insights gathering perspective. We do not allow third parties to engage with them directly on our channels where we can control it.”
“As a policy, we work to 'protect' our audiences, rather than simply abiding by laws and rules,” Beck continued. "We have checks and balances set up to ensure we stay ‘arms distance,' protecting them from third-party access to our audience.”