Now that the UK has formally left the European Union, we’re getting questions from developers and brands about how their obligations under GDPR-K are going to be impacted.
The short answer is very little. Whether you are doing business in the UK or in Europe, you may not collect personal data from kids without parental consent. This is because the UK Data Protection Act 2018, the law that implemented GDPR in the UK, remains in force post-Brexit. This law continues to mirror GDPR — in fact, the UK’s data protection regime is now called ‘the UK GDPR!’
While, in principle, the UK can now make changes to the UK GDPR, it’s unlikely to do so in any way that would diverge materially from GDPR. This is to ensure the EU and UK can continue to recognize the adequacy of each other’s laws, thus avoiding new restrictions on data transfers or other barriers to doing business.
What do brands need to do to ensure compliance?
If you are a brand advertising to under-16s across the region, continue to ensure that:
- Your delivery partners are only using contextual targeting methods (no behavioral targeting and no retargeting).
- You are avoiding the collection of any personal data, including device identifiers and IP addresses in the course of delivering ads.
What do developers need to do to ensure compliance?
If you operate a game or other digital service with young users, you’ll need to comply with the principles of GDPR-K in both the UK and Europe, namely:
- Use an age gate or other age verification method to identify kids so that you can act in their best interest.
- Don’t collect personal data (including persistent identifiers) and don’t allow partners to do so, unless you’ve obtained parental consent and verified the parental relationship, in accordance with Article 8.
In addition, both advertisers and developers will need to apply the Children’s Code (also known as the Age Appropriate Design Code) in relation to any UK users. This means considering the best interest of users all the way up to age 18; not profiling them for marketing purposes; ensuring geolocation collection is off by default; and avoiding techniques (to extend engagement or increase spend) that might be considered “detrimental”. For more, see our earlier posts here and here. It is important to note that post-Brexit, the Children’s Code will apply to any service from the European Economic Area (EEA) with UK users, as well as to services from outside the EEA.
Brexit will create other, new requirements of UK companies that operate in the EU, especially if they handle personal data of EU residents. Be sure to consult your legal counsel for detailed advice on your obligations.