Historically the European Union's Directive on data protection did not explicitly mention the privacy rights of minors, but applied the same data protection principles to children and adults alike.1 That said, there was recognition within the EU that when applying general principles of privacy the age of a data subject may be relevant. For example, while the EU Directive permits companies to collect and process data about a person if the company receives their "consent," a company may not be able to obtain valid consent of a child if local law would not view a child as having sufficient capacity to give such consent.2
The EU's new General Data Protection Regulation ("GDPR"), which goes into force in Spring 2018, specifically recognizes that "children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights …."3 Like the United States, the GDPR also requires that a company obtain the consent of a parent if it offers an information society service to a child.4 An "information society service" refers to most electronic services that a child might use, and that requests information about the child.5 The requirement that consent be obtained applies to information collected from children who are below the age of 16, although member states have discretion to lower the requirement so that, like the United States, it only applies to children who are below the age of 13.6 The following provides a snapshot of information concerning fines.
The largest fine obtained by the FTC in the United States for a violation of COPPA.7
The percentage of a company's revenue that may be fined if they fail to comply with the GDPR's requirement to obtain parental consent.8
What to think about when reviewing your website for compliance with US law and the GDPR:
- Does your website ask children to provide information?
- If not, does your website automatically collect information about a child's computer or session?
- Would your website appeal to children?
- Has the FTC or an EU Data Protection Authority received complaints about your website? If so, how many and were any issues concerning the collection of information from children raised in the complaints?
- Does your website ask for parents' permission to collect information about children?
- Does your website verify that the parent is the actual parent of a child?
- Has the verification mechanism been approved by the FTC?
- Can you limit liability by joining an FTC approved self-regulatory organization (sometimes called a "safe harbor" program) or an EU Certification program?
- Which safe harbor programs / certification program provides the most benefit to your organization?