In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this first installment, Tay Nguyen explores the relationship between provisions of the U.S. Children's Online Privacy Protection Act and rules for handling children's data in the GDPR.
The European Union does not have an independent law that addresses the protection of children’s data similar to the United States’ Children’s Online Privacy Protection Act of 1998. Rather, it addresses the protection of children’s data throughout its General Data Protection Regulation by indicating which provisions within the GDPR warrant a higher standard to protect children’s data. Aside from a vagueness as to the requirements for parental consent, however, the GDPR’s provisions may still provide for as strong an application and thus as strong a protection of children’s data as COPPA.
On a broader level, the GDPR and COPPA were written with a different focus. The GDPR has a wider focus on data protection for all natural persons. Further, the GDPR relates to all collection, use, and disclosure of data and provides for instances where the standards enacted must be higher when the data comes from children. The right to access and rectification of data provided for under Articles 15 and 16, for example, do not provide for a distinction between child and adult data subjects. The right to erasure, also referred to as the right to be forgotten under Article 16, however, explicitly holds that the right is more relevant when consent to data processing was given while a data subject was a child.
In contrast to the GDPR, COPPA is narrower in its focus, prohibiting unfair or deceptive practices related to children’s data online. In addition, COPPA applies only to web operators or online services directed at children, or who has actual knowledge that it is collecting personal information from children.
Age of consent
Looking more closely at the two laws, the most apparent difference between the GDPR and COPPA relates to the question of the age at which children can give consent for the collection and processing of their data. Unlike many of its other terms, which are presented to apply to all data subjects, the GDPR lays down the parameters for consent for children’s data in a clearer manner.
Under Article 8, member states are afforded a range within which they can set the age of consent: no lower than 13, but no higher than 16. This range is an update to the Data Protection Directive, currently in place, which did not explicitly mention the protection of children’s data, but left it up to the member states to interpret children as included within the general protection of all natural persons. Under the Data Protection Directive, the age of consent varied across the European Union. In Spain, for example, the age of consent was set in law at 14 years old while the U.K. merely interpreted the age of consent to be 12 years old without explicitly including it in it the Data Protection Act. The GDPR’s range provides clearer guidelines for the member states, but it remains to be seen whether providing a range as opposed to a specific age would resolve this inconsistency.
Unlike the GDPR, COPPA sets a clear threshold for age of consent for data collection and processing at 13 years old. COPPA has not, however, limited whether individual states can provide for stricter requirements under state law. As such, the different routes the GDPR and COPPA took in determining the age of consent as it relates to data collection and processing may not produce drastically different results.
Parental consent and access
Other differences between the GDPR and COPPA which may have a bigger effect on the protection of children’s data is the depth of detail each provides for obtaining parental consent and for parental access to data when the data subject is under the age of consent.
The GDPR has only minor advisement relating to verification of parental consent, leaving it up to the controller to make reasonable efforts to obtain verification. It is silent on the issue of parental access to their child’s data. Aside from stipulations member states may enact or potential case law that may arise, it can only be inferred from the requirement for parental verification that parents would have access to their children’s data. The GDPR’s requirement for reasonable efforts is also found in COPPA; however, additional information regarding satisfactory methods as well as exceptions is provided in the law to give affected web operators more guidance on how to structure their decisions.
The potential for diversion
As a comparative example, look at the privacy notice requirement under California’s Online Privacy Protection Act. It is possible to see how one state’s implementation of a firmer requirement can help to normalize the requirement across the United States. Under CalOPPA, all commercial websites are required to include their privacy policies if that website collects personally identifiable information from California consumers. Given the size of California’s population, the application of CalOPPA has far-reaching effects across the nation regardless of whether another state lacks the same requirement. Applying the CalOPPA example to the European Union and the GDPR, if Germany as the largest member state by population were to set its age of consent at 16 years old, many other member states may be forced to comply with the requirement even if those countries’ requirement were lower.
By nature of the difference in the European Union and the United States’ approaches to privacy on a broader scale—the former operating under a comprehensive privacy model and the latter under a sectoral model—the protection of children’s data is necessarily different. Nevertheless, the two methods of addressing children’s data may not produce as varied results as one might think. Both the GDPR and COPPA, at their core, provide a baseline for the protection of children’s data.
It remains to be seen whether the largest difference between the GDPR and COPPA as it relates to children’s data – parental consent – will produce as varied results as one might expect given the big role individual member states still have in enacting their national laws alongside the GDPR.
photo credit: Enokson Student and Laptop via photopin(license)