Europe’s new data privacy law, the General Data Protection Regulation (GDPR), will be enforced from May 2018. This law obliges all companies with consumers based in the EU to enable new data privacy protection. For websites and apps whose audience is primarily kids, additional requirements apply, commonly known as GDPR-Kids (GDPR-K).
In this series we outline the steps you ought to take immediately to prepare for GDPR-K. Part One dealt with auditing your technology partners. Part Two deals with defining and articulating your compliance strategy.
One of the most important steps is to decide upfront whether you are primarily a kids’ site or not.
Under COPPA, any service with child-friendly content may be classified by the regulator as ‘child-directed’. The GDPR’s definition of a service ‘offered to children’ is even broader, and will capture many sites and apps that today do not consider themselves for kids. In short, if you have a mixed audience of both kids and adults, then under GDPR-K you are a kids’ site.
The safest way to proceed is to articulate very clearly who your audience is. You can do this either by separating your services by content, or by segregating your audience before they reach your service. The tools for this are: signposting and age-gating.
Note that if your primary audience is kids, then under COPPA and GDPR-K you must treat all your visitors as kids (and you may not age-gate). For information on monetising that audience compliantly, check out Part 4 of our toolkit.
However, if your content appeals to children and adults, such as casual HTML5 games on web, or many mobile games, we recommend age-gating visitors when they land on your site or open your app. An appropriate age gate asks them in a neutral manner how old they are (not their birthdate – that is more information than you need).
If they are below the age of digital consent under the GDPR’s Article 8 (this depends on which country the user is in – see map below), you will need to funnel them into a zero-data version of your service, e.g. remove social media plugins and third-party data collectors such as ad networks that do profiling or behavioural targeting. If they are above the age of consent, you may treat them as any other (adult) visitor.
If, on the other hand, your site is mainly for adults but includes content appealing to kids – such as the product website of a toy company or a kids’ entertainment business – an alternative to age-gating is to ‘signpost’ clearly which section is for which audience. Best practice is to make your main landing page child-safe, eg applying the zero-data collection principle including no social media plugins.
From there, clearly marked navigation would take the visitor either to more kids’ content (zero data), or to a grown-up section (e.g. corporate info or a shop). When a user leaves any kid-safe area, always pop a friendly ‘bumper’ message letting them know.
Be overly transparent and clear which parts of your service are child-directed and which are not for kids. Getting this wrong has led to costly fines for several well-known kids’ brands in the US, and we expect the regulators to make this an area of focus under GDPR-K.
If you’d like to know more about how the age gate feature in our publisher SDK works and about best practices for implementing age gates, please contact us on firstname.lastname@example.org.
Next week in Part 3 we cover the requirement for ‘transparent notices’ and how to explain data collection to kids. To know when we’ve posted, subscribe to the blog above. We will also posting the Toolkit to our website.