For the latest GDPR-K information, check out our Toolkit here.

Last week the law, governing data privacy for kids in Europe, was finally passed – read on to find out how this will affect your digital media business, and the practical steps to take next.

What does the law mean?

GDPR is intended to give Europeans more control over how their data is collected online.

GDPR will impact any company that manages consumer data.  It includes provisions to give consumers the ‘right to be forgotten’, to provide ‘clear and affirmative’ consent to the collection of personal data and the right to know when your data has been hacked.

Critically for those working in the kids’ space, the EU-wide data privacy rules for children are now equivalent to the US COPPA legislation.  Article 8 of the GDPR outlines specific measures companies must take, with fines of up to 4% of global turnover for those that don’t comply.

What do advertisers, agencies and ad-tech providers need to know?

To be clear, the GDPR is not intended to prevent advertising: instead, it creates a clear, EU-wide framework for how online marketing to children must legally be undertaken.

  • Profiling and behavioural ad targeting on kids’ sites and apps are not permitted. This means no programmatic, and no re-targeting unless they are done through certified kids’ platforms;
  • As in the US, basic performance tracking (impressions, clicks, CTR) IS permitted; and,
  • Advertisers, ad networks, platforms and agencies will bear co-responsibility with the publisher to ensure their campaigns are compliant.

Most ad technology providers and networks are not compliant with the kids’ requirements of this new law. If you are not using kid-specific ad partners, we urge you to start a review process immediately.

How does this affect publishers of kids’ apps and websites?

As with COPPA, publishers of websites, apps and digital services for kids will be required to obtain verified parental consent before collecting any data from children. Worth noting:

  • We expect countries across the EU to set different age limits between 13 and 16 to define ‘a child’
  • To obtain consent, the identity of the parent needs to be verified using ‘available technology’.  We expect these methods are likely to include so-called ‘Email Plus’, credit card transactions, and the ‘selfie method’
  • Notices addressed to children must be in ‘plain language’ and understandable by the target age group

What can kids’ content owners do NOW?

  1. Review and rewrite your Privacy Policy and Terms of Use to increase transparency and disclosure;
  2. Assess what features of your service require parental consent, and at what stage;
  3. Remove tracking technologies, analytics and third-party plug-ins that are collecting identifiers in a non-compliant way, including integrations with ad networks and social media sharing widgets; and,
  4. Seek out compliant technology platforms to manage verified parental consent workflows and the storage and use of children’s and parents’ data in compliance with the GDPR

How long do advertisers and publishers have to act?

GDPR automatically becomes law in all member states on 4 May 2016, and – following a 2-year transition period – will be enforced from 25 May 2018.  However we are seeing brands and Tier 1 content owners beginning to implement these changes now (many of our partners began in 2015).

For more updates and training on the legal implications of marketing to kids, check out our KidAware certification program, aimed to help the industry achieve the best possible standards in digital kids marketing.