Europe’s new data privacy law, the General Data Protection Regulation (GDPR), will be enforced from May 2018. This law obliges all companies with consumers based in the EU to enable new data privacy protection. For websites and apps whose audience is primarily kids, additional requirements apply, commonly known as GDPR-Kids (GDPR-K).
In this series we outline the steps you ought to take immediately to prepare for GDPR-K. Part One deals with auditing your technology partners.
The most urgent action is to get a full picture of what data is being collected from your users by third parties. You – the publisher – bear full responsibility and legal liability for any data collected by others. This includes the explicit and hidden trackers all the bits of embedded code, including ad tags, social media plugins, tag managers, analytics trackers, etc.
If you’re like most publishers that have been around for a while, you will have lots of third-party code and legacy data collectors that you don’t even know about. If you’re unsure, use a tool like Ghostery or Androlyzer to check who is collecting data from your users.
Then, immediately remove all the trackers you are not actually using or don’t absolutely need. Second, ask each of your remaining suppliers to explain what data they are collecting and how this will be treated under GDPR-K. To help you with such an audit, we’ve prepared a form you can use – just download our Partner Compliance Questionnaire and send to your suppliers.
Finally, give the answers to your lawyers so that they can do a thorough assessment of your data collection practices. Remember that – under GDPR-K – social media plugins and data collection for behavioural advertising and profiling will not be permitted on kids’ sites without consent.
In Part Two we will walk through how to classify your site or app under GDPR-K and how to use age gates and ‘sign-posting’. To know when we’ve posted, subscribe above.