News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | GDPR matchup: The Children's Online Privacy Protection Act Related reading: Biden signs bill reauthorizing FISA Section 702

rss_feed

""

""

""

In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this first installment, Tay Nguyen explores the relationship between provisions of the U.S. Children's Online Privacy Protection Act and rules for handling children's data in the GDPR.

The European Union does not have an independent law that addresses the protection of children’s data similar to the United States’ Children’s Online Privacy Protection Act of 1998. Rather, it addresses the protection of children’s data throughout its General Data Protection Regulation by indicating which provisions within the GDPR warrant a higher standard to protect children’s data. Aside from a vagueness as to the requirements for parental consent, however, the GDPR’s provisions may still provide for as strong an application and thus as strong a protection of children’s data as COPPA.

On a broader level, the GDPR and COPPA were written with a different focus. The GDPR has a wider focus on data protection for all natural persons. Further, the GDPR relates to all collection, use, and disclosure of data and provides for instances where the standards enacted must be higher when the data comes from children. The right to access and rectification of data provided for under Articles 15 and 16, for example, do not provide for a distinction between child and adult data subjects. The right to erasure, also referred to as the right to be forgotten under Article 16, however, explicitly holds that the right is more relevant when consent to data processing was given while a data subject was a child.

In contrast to the GDPR, COPPA is narrower in its focus, prohibiting unfair or deceptive practices related to children’s data online. In addition, COPPA applies only to web operators or online services directed at children, or who has actual knowledge that it is collecting personal information from children.

Age of consent
Looking more closely at the two laws, the most apparent difference between the GDPR and COPPA relates to the question of the age at which children can give consent for the collection and processing of their data. Unlike many of its other terms, which are presented to apply to all data subjects, the GDPR lays down the parameters for consent for children’s data in a clearer manner.

Under Article 8, member states are afforded a range within which they can set the age of consent: no lower than 13, but no higher than 16. This range is an update to the Data Protection Directive, currently in place, which did not explicitly mention the protection of children’s data, but left it up to the member states to interpret children as included within the general protection of all natural persons. Under the Data Protection Directive, the age of consent varied across the European Union. In Spain, for example, the age of consent was set in law at 14 years old while the U.K. merely interpreted the age of consent to be 12 years old without explicitly including it in it the Data Protection Act. The GDPR’s range provides clearer guidelines for the member states, but it remains to be seen whether providing a range as opposed to a specific age would resolve this inconsistency.

Unlike the GDPR, COPPA sets a clear threshold for age of consent for data collection and processing at 13 years old. COPPA has not, however, limited whether individual states can provide for stricter requirements under state law. As such, the different routes the GDPR and COPPA took in determining the age of consent as it relates to data collection and processing may not produce drastically different results.

Parental consent and access

Other differences between the GDPR and COPPA which may have a bigger effect on the protection of children’s data is the depth of detail each provides for obtaining parental consent and for parental access to data when the data subject is under the age of consent.

The GDPR has only minor advisement relating to verification of parental consent, leaving it up to the controller to make reasonable efforts to obtain verification. It is silent on the issue of parental access to their child’s data. Aside from stipulations member states may enact or potential case law that may arise, it can only be inferred from the requirement for parental verification that parents would have access to their children’s data. The GDPR’s requirement for reasonable efforts is also found in COPPA; however, additional information regarding satisfactory methods as well as exceptions is provided in the law to give affected web operators more guidance on how to structure their decisions.

The potential for diversion

As a comparative example, look at the privacy notice requirement under California’s Online Privacy Protection Act. It is possible to see how one state’s implementation of a firmer requirement can help to normalize the requirement across the United States. Under CalOPPA, all commercial websites are required to include their privacy policies if that website collects personally identifiable information from California consumers. Given the size of California’s population, the application of CalOPPA has far-reaching effects across the nation regardless of whether another state lacks the same requirement. Applying the CalOPPA example to the European Union and the GDPR, if Germany as the largest member state by population were to set its age of consent at 16 years old, many other member states may be forced to comply with the requirement even if those countries’ requirement were lower.

By nature of the difference in the European Union and the United States’ approaches to privacy on a broader scale—the former operating under a comprehensive privacy model and the latter under a sectoral model—the protection of children’s data is necessarily different. Nevertheless, the two methods of addressing children’s data may not produce as varied results as one might think. Both the GDPR and COPPA, at their core, provide a baseline for the protection of children’s data.

It remains to be seen whether the largest difference between the GDPR and COPPA as it relates to children’s data – parental consent – will produce as varied results as one might expect given the big role individual member states still have in enacting their national laws alongside the GDPR.

photo credit: Enokson Student and Laptop via photopin (license)

Author
Headshot Tay Nguyen, CIPP/E, CIPP/US, CIPM IAPP Member Contributor
Tags
Europe
U.S.
Children's Privacy
Privacy Law
1 Comment

If you want to comment on this post, you need to login.

  • comment Stephan Hendel • Apr 8, 2018 
    If you are running a webshop in Germany, we will be happy to help you with all questions concerning the GDPR. Just write us an email via https://www.gabler-hendel.de/data-protection-regulation/
Related Stories
Biden signs bill reauthorizing FISA Section 702
U.S. President Joe Biden signed legislation reauthorizing Section 702 of the Foreign Intelligence Surveillance Act 20 April, The Associated Press reports. The Senate passed a bill 60-34, renewing Section 702 authority just after the deadline for the program to expire. Meanwhile, Columbia University ...
Read More queue Save This
US House passes bill to force sale of TikTok
The U.S. House voted in favor of fast-tracking a bill to compel TikTok's parent company, ByteDance, to divest itself of the app, The New York Times reports. If passed and signed into law, the bill would give ByteDance up to one year to find a U.S.-government approved buyer for TikTok or face a natio...
Read More queue Save This
Catching up on IAPP GPS 2024 keynote speeches
The IAPP released several full-length keynote presentations from the IAPP Global Privacy Summit 2024. Columbia University Law Professor Anu Bradford discussed the differences between digital regulatory models in China, the EU and the U.S. and their implications for liberal democracy. Other presentat...
Read More queue Save This
Google to pay $62M in location privacy settlement
The U.S. District Court for the Northern District of California agreed to the settlement terms of Google's location privacy lawsuit that would require Google to pay USD62 million, MediaPost reports. The class-action lawsuit accused Google of storing "location data harvested from some services, inclu...
Read More queue Save This
Related Stories
Tags
Europe
U.S.
Children's Privacy
Privacy Law
Recent Comments