Europe’s new data privacy law, the General Data Protection Regulation (GDPR), will be enforced from May 2018.  This law obliges all companies with consumers based in the EU to enable new data privacy protection. For websites and apps whose audience is primarily kids, additional requirements apply, commonly known as GDPR-Kids (GDPR-K).

In this series we outline the steps you ought to take immediately to prepare for GDPR-K. Part One dealt with auditing your technology partners. Part Two dealt with defining and articulating your compliance strategy. Part Three covers how best to revise your privacy notices.

Once you have regained control over the data collection that happens on your site or app (Part One), and have determined ‘who you are’ under GDPR-K (Part Two), it’s time to rewrite your terms of service and privacy policies.

EU regulators are determined to make incomprehensible legal notices a thing of the past, so GDPR-K requires you to post privacy notices that are concise and transparent and written in ‘clear and plain language, in particular if addressed to a child.’

This may sound impossible, but it’s not.  Data protection authorities recommend using so-called layered notices.  This means communicating with your users in two parts: first, you inform the child in plain language what data you are collecting and why; and second, you provide a link to a more comprehensive privacy policy (ideally understandable by parents).

The first notice should be contextual, in the place where you are about to collect the data.  It can even be ‘just-in-time’, like a tool-tip, as in this useful example provided by the UK’s Information Commissioner:

The second notice – your full privacy policy – will need to be updated in any case to ensure it’s written with the GDPR-K principles in mind, and  that it contains each item required under the new law, including:

  1. Who is your audience?
  2. What data do you collect?
    1. data type and how  it is collected
    2. purpose / use case
    3. how your use impacts your users
    4. with whom it’s shared and why
    5. where it’s stored
    6. how you protect it
  3. On what legal basis you collect data (consent, legitimate interest or other)
  4. How users can exercise their rights to view, amend, delete or to withdraw consent

Note that the GDPR allows non-governmental organisations to bring legal cases on behalf of individuals and people to sue companies for damages if they are in breach.  This is a game-changer in Europe.

In the US, we have seen a wave of civil lawsuits against publishers who were likely compliant with COPPA, but did not explain it sufficiently clearly in their policies.

Your notices and policies should be comprehensive and you’ll need legal advice to complete them.  If you are allowing the collection of any personal data (including cookies and other persistent identifiers), explain why, the legal basis and why you believe it’s compliant with GDPR.

Congratulations – you’ve taken the most important steps in minimising your risk of being fined after May 25th.  In the next few weeks, we’ll be posting guidance on three additional GDPR-K topics:

1. Monetising your kids’ site or app compliantly
2. How to acquire users compliantly and leverage cross-promotion
3. Collecting data and applying verifiable parental consent flows

The GDPR-K Toolkit for Kids Publishers Part One: Audit your technology partners
The GDPR-K Toolkit for Kids Publishers Part Two: Defining your audience
The GDPR-K Toolkit for Kids Publishers Part Three: Revise your privacy notices
The GDPR-K Toolkit for Kids Publishers Part Four: Safely monetise your site or app
The GDPR-K Toolkit for Kids Publishers Part Five: Kid-safe user acquisition
The GDPR-K Toolkit for Kids Publishers Part Six: Obtaining verifiable parental consent

Max Bleyleben is Managing Director at SuperAwesome.