In the United States, since the passage of the Children’s Online Privacy Protection Act (COPPA) in 1998 and the Federal Trade Commission’s (FTC) subsequent COPPA Rule in 2000, there have been specific rules regarding the collection of data from children under 13.
Namely, you can’t do it unless you obtain “verifiable parental consent,” with certain limited exceptions. Recently, you may have heard the FTC will now accept “selfies” as a method of parental consent, for example.
It was no surprise, then, when the European Commission released its first draft of the General Data Protection Regulation in 2012, to see language similarly protecting children under the age of 13. The current Directive has no specific protections for children.
In Article 8 of the original draft, the Commission proposed, “in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.”
There’s also language saying the Commission reserves the right to figure out what “reasonable” might mean and what specific methods of obtaining consent would be appropriate. In many ways, it’s similar to COPPA.
However, in the most recent draft of the GDPR, released by the European Council and obtained by Statewatch, the language is changed, most notably raising the age to 16:
“Where Article 6 (1)(a) applies, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 16 years shall only be lawful if and to the extent that such consent is given or authorised by the holder of parental responsibility over the child.”
This would be a significant departure from the likes of COPPA, and may take many of those offering services to teenagers by surprise.
Already the gaming industry, advertising industry and others had been preparing their members for the switch to the 13-year threshold. Raising the bar to 16 may be perceived as another matter entirely.
The Advertising Education Forum, for example, released an educational document in 2013 outlining the impact of the creation of an age limit where parental consent would be needed. In its policy recommendations to lawmakers, the document asserts, “Children should be defined as under 13, according to international and EU best practice.”
Similarly, an article in Games Industry from January of this year noted, “This will bring the EU's data protection regime more closely in line with the US's Children's Online Privacy Protection Act of 1998 which places similar requirements on any company that wishes to process any personal information relating to a child under the age of 13 years.”
As the trilogue negotiations are opaque, it’s unclear why this change would be made by the Council or who is particularly in favor of it. The Parliament’s draft has never wavered from the age of 13 and Article 8 is one of the few pieces of the GDPR where the Parliament’s draft is relatively unchanged from the original Commission proposal.
The Parliament added two significant pieces: First, a requirement that information provided to children and their guardians regarding consent be in plain language; second that the European Data Protection Board, and not the Commission, be entrusted with issuing best practices and guidelines for obtaining and verifying consent.
Up till now, no one has mentioned raising the age to 16.
“One area where Europe has previously lagged behind the U.S. is in the protection of children's data and this new rule will have significant implications,” noted Nicola Regan, CIPP/E, senior partner with the Privacy Partnership and a former policy analyst for the Information Commissioner’s Office in the UK. “A parental consent requirement for the processing of under 16's data will have huge implications on the use of social media by children. Younger European teenagers may miss out on services if companies think the burden of obtaining parental consent is too great. Instead they may opt to designate such services as only for those 'over 16.'”
This has some children’s advocates already weighing in. Janice Richardson, former coordinator of the European Safer Internet Network, and now expert to the ITU and the Council of Europe, has published an open letter strenuously objecting to the change. She notes that moving the age to 16, when the international standard has been 13 and many children between 13 and 15 have already been using many Internet services frequently, will likely only incentivize children to lie about their age, bar them from accessing information and services that are their fundamental human rights and possibly keep them from seeking support services if they are amongst vulnerable communities like those who are being abused or are LGBTQ.
“Online services have provided children with a safe place to explore and learn and indeed, according to renowned researcher Dr. David Finkelhor, appear to have had a significantly positive impact on many aspects of safety and behaviour,” she writes in the letter, which is co-signed by SOS il Telefono Azzurro of Italy, the UK’s Family Online Safety Institute and Diana Award organization, and Cyberhus of Denmark.
Hogan Lovells' Eduardo Ustaran, CIPP/E, didn't mince words on the topic.
"My view is that requiring parental consent for the use of digital services of under 16s is probably the most unrealistic legal requirement I have come across in my career," he said. "Clearly whoever came up with that requirement does not have teenage kids. The obvious implication is that all such services will rely on different legal bases for the collection and use of young users' data."
But, by contrast, Caroline Olstedt Carlström, chief counsel of global privacy at Sweden's Klarna, said she doesn't see such a change making a big impact.
"In Sweden and under the present regime [the directive], it's considered by the DPA that as a general rule children below 15 years of age would normally not be able to fully comprehend what the data processing activities may entail, hence, parental consent would be required (of course, in specific cases there might be exceptions)," she wrote in an email. "Furthermore, it's also a general legal requirement that children under 16 may not enter into a valid legal agreement without parental consent."
Given that, she continued, "I fail to see that this change would have a huge impact on the local market, local product offerings, etc. (very much a different view of course for US services now becoming in scope due to different territorial application). Based on the increased focus on children's online rights and needs over the last years, I find this to be a quite natural adaptation in line with the general views. Of course, it also remains to figure out effective ways of doing this and what parental authorization might entail in practice if this change makes it into the final text."
Currently, the generally held belief is that the GDPR negotiations will wrap up with a final trilogue meeting on December 15. Will this issue come up as a major negotiation point? Is the Parliament of the same mind that the age of consent should be raised to 16? Is this change in the Council draft something they’re trying to use for negotiating leverage to get some other point changed in the Parliament draft? Or is it a typo?
The latter seems unlikely, but those in the privacy community will have to wait and see.