Europe’s new data privacy law, the General Data Protection Regulation (GDPR), will be enforced from May 2018. This law obliges all companies with consumers based in the EU to enable new data privacy protection. For websites and apps whose audience is primarily kids, additional requirements apply, commonly known as GDPR-Kids (GDPR-K).
In this series we outline the steps you ought to take immediately to prepare for GDPR-K. Part One dealt with auditing your technology partners. Part Two dealt with defining and articulating your compliance strategy. Part Three covers how best to revise your privacy notices.
Once you have regained control over the data collection that happens on your site or app (Part One), and have determined ‘who you are’ under GDPR-K (Part Two), it’s time to rewrite your terms of service and privacy policies.
EU regulators are determined to make incomprehensible legal notices a thing of the past, so GDPR-K requires you to post privacy notices that are concise and transparent and written in ‘clear and plain language, in particular if addressed to a child.’
The first notice should be contextual, in the place where you are about to collect the data. It can even be ‘just-in-time’, like a tool-tip, as in this useful example provided by the UK’s Information Commissioner:
- Who is your audience?
- What data do you collect?
- data type and how it is collected
- purpose / use case
- how your use impacts your users
- with whom it’s shared and why
- where it’s stored
- how you protect it
- On what legal basis you collect data (consent, legitimate interest or other)
- How users can exercise their rights to view, amend, delete or to withdraw consent
Note that the GDPR allows non-governmental organisations to bring legal cases on behalf of individuals and people to sue companies for damages if they are in breach. This is a game-changer in Europe.
In the US, we have seen a wave of civil lawsuits against publishers who were likely compliant with COPPA, but did not explain it sufficiently clearly in their policies.
Your notices and policies should be comprehensive and you’ll need legal advice to complete them. If you are allowing the collection of any personal data (including cookies and other persistent identifiers), explain why, the legal basis and why you believe it’s compliant with GDPR.
Congratulations – you’ve taken the most important steps in minimising your risk of being fined after May 25th. In the next few weeks, we’ll be posting guidance on three additional GDPR-K topics:
1. Monetising your kids’ site or app compliantly
2. How to acquire users compliantly and leverage cross-promotion
3. Collecting data and applying verifiable parental consent flows
Subscribe to the blog above to make sure you don’t miss a post. We will also posting the Toolkit to our website.