What kids’ publishers must do today to ensure compliance with GDPR-K

Europe’s new data privacy law, the General Data Protection Regulation (GDPR) is now legally enforceable. This law obliges all companies with consumers based in the EU to enable new data privacy protection. For websites and apps whose audience is primarily kids, additional requirements apply, commonly known as GDPR-Kids (GDPR-K). To learn more, read our post here.

As a kids’ publisher—whether based in the US, EU or elsewhere—you need to be fully compliant or face the risk of censure from a data protection authority and fines of €20m or more. If you are already in compliance with COPPA (the US data privacy law protecting kids) then you may be familiar with some of the steps needed to comply with GDPR-K.

You should seek legal advice to ensure you are compliant with GDPR as a whole. In the meantime here are the steps you ought to have taken to ensure compliance with GDPR-K:

Audit your technology partners

Define and articulate your compliance strategy

Revise your privacy notices

1. Audit your technology partners

The most urgent action is to get a full picture of what data is being collected from your users by third parties.  You—the publisher—bear full responsibility and legal liability for any data collected from your users by others.  This includes all the little bits of embedded code, including ad tags, social media plugins, tag managers, analytics trackers, etc.

If you’re like most publishers that have been around for a while, you will have lots of third-party code and legacy data collectors that you don’t even know about.  If you’re unsure, use a tool like Ghostery or Androlyzer to check who is collecting data from your users.

Then, immediately remove all the trackers you are not actually using or don’t need.  Second, ask each of your remaining suppliers to explain what data they are collecting and how this will be treated under GDPR-K.  To help you with such an audit, we’ve prepared a form you can use - just download our Partner Compliance Questionnaire and send to your suppliers.

Finally, give the answers to your lawyers so that they do a thorough assessment of your data collection practices.  Remember that—under GDPR-K—social media plugins and data collection for behavioural advertising and profiling will not be permitted without consent.

2. Define and articulate your compliance strategy

One of the most important steps is to decide upfront whether you are primarily a kids’ site or not.  Under COPPA, any service with child-friendly content may be classified by the regulator as ‘child-directed’.  The GDPR’s definition of a service ‘offered to children’ is even broader, and will capture many sites and apps that today do not consider themselves for kids.  In short, if you have a mixed audience of both kids and adults, then under GDPR-K you are a kids’ site.

The safest way to proceed is to articulate very clearly who your audience is.  You can do this either by separating your services by content, or by segregating your audience before they reach your service.  The tools for this are: signposting and age-gating

Note that if your primary audience is kids, then under COPPA and GDPR-K you must treat all your visitors as kids (and you may not age-gate).

However, if your content appeals to children and adults, such as casual HTML5 games on web, or many mobile games, we recommend age-gating visitors when they land on your site or open your app.  An appropriate age gate asks them in a neutral manner how old they are (not their birthdate—that is more information than you need).

If they are below the age of digital consent under the GDPR’s Article 8 (depends on which country the user is in—see adjacent map), you will need to funnel them into a zero-data version of your service, e.g. remove social media plugins and third-party data collectors such as ad networks that do profiling or behavioural targeting.  If they are above the age of consent, you may treat them as any other (adult) visitor.

If, on the other hand, your site is mainly for adults but includes content appealing to kids—such as the product website of a toy company or a kids’ entertainment business—an alternative to age gating is to ‘signpost’ clearly which section is for which audience.  Best practice is to make your main landing page child-safe, eg applying the zero-data collection principle including no social media plugins.

From there, clearly marked navigation would take the visitor either to more kids’ content (zero data), or to a grown-up section (eg corporate info or a shop).  When a user leaves any kid-safe area, always pop a friendly ‘bumper’ message letting them know.

Be overly transparent and clear which parts of your service are child-directed and which are not for kids.  Getting this wrong has led to costly fines for several well-known kids’ brands in the US, and we expect the regulators to make this an area of focus under GDPR-K.

If you’d like to know more about how the age gate feature in our publisher SDK works and about best practices for implementing age gates, please contact us on pubsupport@superawesome.tv.

3. Revise your privacy notices

Once you have regained control over the data collection that happens on your site or app (Part One), and have determined ‘who you are’ under GDPR-K (Part Two), it’s time to rewrite your terms of service and privacy policies.  EU regulators are determined to make incomprehensible legal notices a thing of the past, so GDPR-K requires you to post privacy notices that are concise and transparent and written in ‘clear and plain language, in particular if addressed to a child.’

This may sound impossible, but it’s not.  Data protection authorities recommend using so-called layered notices.  This means communicating with your users in two parts: first, you inform the child in plain language what data you are collecting and why; and second, you provide a link to a more comprehensive privacy policy (ideally understandable by parents).

The first notice should be contextual, in the place where you are about to collect the data.  It can even be ‘just-in-time’, like a tool-tip, as in this useful example provided by the UK’s Information Commissioner:

The second notice—your full privacy policy—will need to be updated in any case to ensure it’s written with the GDPR-K principles in mind, and that it contains each item required under the new law, including:

1) Who is your audience?
2) What data do you collect?
     a) data type and how collected
      b) purpose / use case
      c) how your use impacts your users
      d) With whom it’s shared and why
      e) where it’s stored
      f) how you protect it

3) On what legal basis you collect data (consent, legitimate interest or other)
4) How users can exercise their rights to view, amend, delete or to withdraw consent

Note that the GDPR allows non-governmental organisations to bring legal cases on behalf of individuals and people to sue companies for damages if they are in breach.  This is a game-changer in Europe.  In the US, we have seen a wave of civil lawsuits against publishers who were likely compliant with COPPA, but did not explain it sufficiently clearly in their policies.

Your notices and policies should be comprehensive and you’ll need legal advice to complete them.  If you are allowing the collection of any personal data (including cookies and other persistent identifiers), explain why including the legal basis and why you believe it’s compliant with GDPR.  

Congratulations - you’ve taken the most important steps to minimise your risk of being fined after May 25th.  In the next few weeks, we’ll be posting guidance on three additional GDPR-K topics:

4) Monetising your kids’ site or app compliantly
5) How to acquire users compliantly and leverage cross-promotion
6) Collecting data and applying verifiable parental consent flows

4. Monetising your kids’ site or app compliantly

Now that you’ve covered the basics of compliance (parts 1-3), we can look at how to maximise advertising revenue from your kids audience without collecting any data, as required by COPPA and GDPR-K.

If you had previously written off your under-13 audience as ‘zero revenue’, think again.  Provided you (1) set up your ad-serving infrastructure to be compliant, (2) offer a great ad experience for users, and (3) tap into age-appropriate demand, you should be able to generate more revenue per user than before.

With your audience segmented via an age-gate or sign-posting (see Part Two), you now have an extremely valuable demographic which the top kids’ brands are eager to reach.  The kids’ market is currently the fastest-growing vertical in digital advertising, with annual growth of 25-40%, according to PwC. Those advertisers cannot find their intended audience through traditional data-driven marketing channels.  They can only reach them by tapping into contextual demographic segments, like the one you’ve just created. 

When making your kids’ audience available to advertisers, be sure to use only COPPA or GDPR-K compliant ad-serving technologies.  That means only accepting contextual advertising, and blocking any collection of persistent identifiers (like device IDs or IP addresses) by partners who may be building profiles or engaging in behavioural advertising.  If you’d like to know more about our zero-data ad serving platform, AwesomeAds, and publisher SDK, please contact us on pubsupport@superawesome.tv.

To maximise yield from your inventory, you must first understand what premium advertisers are looking for, and then ensure a good user experience so that your kids’ audience is engaged and keeps coming back.  Let’s look at these in turn.

Appealing to advertisers

Premium kids’ brands are very aware of the regulation governing kids’ data privacy. The top media and toy companies will only advertise on kids’ properties that are visibly and clearly compliant with the zero-data standard established by COPPA and GDPR-K. But they also have additional requirements like any other advertiser to track performance. In the kids’ space this means reach (viewed impressions) and engagement (clicks or time spent).

Where you place ad units, how quickly they load, the types of formats you allow; all these contribute to performance (and hence the CPM rate paid). So it’s critical that you experiment and test and optimise for advertiser needs.

A good example is viewability, which more and more often is the primary performance metric tracked by advertisers. For most, at least 70% or more of their ads need to be ‘viewable’ (as defined by the IAB) or they won’t run on your site. Be sure to unlock this premium demand by checking the viewability of your display and video formats and moving or losing ad units that do not perform. When it comes to digital ads, less is often more.

If you’re a member of our marketplace, AwesomeAds will automatically shift campaigns toward publishers that have the highest rates of viewability and engagement.

Ensuring a good user experience

There are three ways to ensure the best ad experience for your under-16 users, which lead to high engagement, which in turn advertisers will pay more for:

Show the right ad for your audience
Nothing exacerbates ‘banner blindness’ and annoys kids more than irrelevant ads. Try to filter your campaigns from your demand sources to show only ads from kids brands relevant to your specific demographic, whether it’s pre-school (4-6), kids (7-9), tween (10-12) or teen.

Video ads tend to be high quality, and kids love video. Bear in mind never to make the user turn the phone to watch a video ad, as this disrupts the flow of the game and will not result in strong engagement.

Ensure zero disruption
Kids are no less (and arguably more) intolerant of disruptive, schlocky ad formats. Premium sites and apps run high quality ads, which means you should aim to adhere to the emerging standards for good ad experiences, or running carefully designed and integrated sponsored experiences, such as virtual world integrations or microsites and mini-games.

Design ads into the flow of your site or your game. For app developers, as an example, rewarded videos are a great way to add value to your app, to the audience, and to the advertiser (who benefits from high video completion rates).

When creating interstitials, use them in natural transitions to prevent your users from feeling that the ad disrupted their journey.

Only show safe creatives
Every ad you show needs to comply also with the content rules that govern your site and the relevant local advertising regulation. In most cases this means following the CAP Code’s Article 5 (in the UK) or equivalent. When it comes to kids, we can’t really get around the need for a human touch, so you will need to review ads as they come in or be confident you can rely on your demand partner to do so.

This is why all ads served through AwesomeAds carry the SafeAd watermark, which means: (1) this ad is not collecting any personal data, and (2) this ad has been reviewed by a human for age-appropriateness and compliance with advertising codes.

Your properly segregated kids audience is hugely valuable to premium kids’ brands. By creating high-quality ad placements and enabling advertisers to target your audience contextually, you can continue to grow your business in full compliance with GDPR-K.

5. Kid-safe user acquisition

Creating great digital content for kids is hard, but getting them to come to your site or download your app can be even harder.  That is why app developers spent over $5B last year on ad campaigns to acquire new users, also known as CPI (cost-per-install) ads.
If you had previously written off your under-13 audience as ‘zero revenue’, think again.  Provided you (1) set up your ad-serving infrastructure to be compliant, (2) offer a great ad experience for users, and (3) tap into age-appropriate demand, you should be able to generate more revenue per user than before.

Let’s look at three aspects of growing a user base comprised of kids: compliant user acquisition, how to promote your content, and cross-promoting your services to existing users.

Acquiring new users in the kids space is fraught with compliance concerns, because the way CPI for user acquisition works is fundamentally non-compliant with COPPA and may be illegal under GDPR-K as well.

Here’s why: in a typical CPI campaign, the ad unit collects a device identifier in order to track whether the user who saw the ad eventually downloads and opens the advertised app.  In order to ‘attribute’ the download to the original ad campaign, the CPI provider tracks user behaviour in ways we shouldn’t when it comes to under-16s.  So, content owners and brands are rightly concerned about using attribution technology or CPI services invented for the adult market.

To acquire users compliantly, always run your CPI campaigns through kid-safe providers, and ask them to demonstrate that they are able to deliver downloads or traffic without tracking users across time and across domains.

If you’d like to know more about our zero-data CPI solutions, please contact us on enquiries@superawesome.tv.

In addition, persuading children that your content is worth checking out in the first place is a fine art. Kids are very ad-savvy, and presenting them with the right messaging is crucial. They make decisions about whether to engage with an ad in a fraction of a second, so you really can’t afford to put the wrong creative in front of them.  Here are some tips we’ve gleaned from running hundreds of kids’ app install campaigns:

Focus on one key benefit
It’s tempting to reel off a list of all the cool things your app offers, but in reality this leads to a confusing and bloated creative on a small screen. If your app has more than one great feature, design multiple creatives with each highlighting one benefit.  (This approach has the added benefit of allowing you to test which feature pulls in the most users.)

Don’t waste words
‘Free racing app’ will outperform ‘rev your engine around the track in this awesome new super-fast racing experience’ every single time. Kids need to digest your message in a tiny amount of time, so if you want them to read it keep it short.

Be clear you’re offering an app
Sounds simple, but this is often neglected, and can be easily solved by prominently displaying a Play Store or App Store logo.

If your app is free, make this SUPER clear
This matters to kids, and definitely to parents.  In general, apps for under 16s should not require payment upfront, as you don’t know whether the kids’ device is shared, or if they have permission to buy in the app store.

Try different creatives.  Your best performing ad unit will rarely be the one you predicted as adults don’t think like kids!

If you have multiple apps or sites, then your most effective user acquisition tool may well be cross-promotion.  Kids who are already familiar with the look & feel of your apps will be more inclined to download other apps from the same family.

If you are monetising with ads, then you can use the same placement to run ads for your other apps or services.  Simply put your own ad units in the fallback position in your ad server, or have your ad operations team traffic your internal ad campaigns alongside paid campaigns.  The best placement for cross-promotion ads tend to be  during natural ‘breaks’ between levels or on loading screens.  For more tips on the most effective ad placements, see Part Four, or contact our marketplace team on pubsupport@superawesome.tv.

Be sure to use compliant tools and services when to acquiring users who are kids.  Remember that messaging and creative execution are key to getting kids engaged, and your own audience can often be the best opportunity for cross-promotion.

6. Collecting data and obtaining verifiable parental consent

If you genuinely need to collect personal information from users of your service - say because you want to allow kids to create an account to use your location-based services, or to enable in-app purchases, or to create a social community - then you have to comply with Article 8 of the GDPR to get permission.

On the face of it, Article 8 (now known as GDPR-K) says the same thing as COPPA: obtain verifiable parental consent before collecting personal data from children.  Under the hood, however, there are important differences.

First, the threshold for children providing their own consent under GDPR-K is 16 rather than 13, though individual countries can lower the age of consent to any age down to 13.  Currently the UK, Ireland, Spain and most Scandinavian countries have chosen 13, whilst Germany, the Netherlands and Italy have chosen 16, with France still debating between 15 and 16.  You can see the latest map of EU consent ages in Part Two.

Second, the mechanism for ‘verifying’ consent is more flexible under GDPR-K than it is under COPPA.  In the US, it has become standard practice to use a credit card transaction to verify the identity of the parent prior to collecting personal data.  Credit card is also a valid verification method under GDPR-K, but - taking into account the GDPR’s data minimisation principle - it should only be used if the sensitivity of the data you are collecting merits it.

How do I know which verification method to use?
Unlike COPPA, GDPR-K is not prescriptive when it comes to methods of verification.  The onus is on you to determine a reasonable approach to match the risk of proposed data processing.  For example, if you want to collect a child’s email address for the sole purpose of allowing them to reset a forgotten password, it is likely sufficient to email the parent for their consent and to confirm, via a tick-box, that they are the holder of parental responsibility.

If, on the other hand, your app needs to continuously track a device’s GPS coordinates to enable a location-based game, then the verification threshold is higher. For example, you should verify the parent’s identity by asking them to confirm they are the parent and to complete a credit card transaction to prove they are an adult.  Note that any time you are sharing data with third parties, the risk level is considered to increase substantially, requiring a higher level of verification.

GDPR-K asks us to take a measured approach to match verification levels to risk, whilst minimising data collection.  Guidance from the regulators has been limited to date, so best practices will evolve over time, but here is one way to think about it:

Minimising user flow disruption
Just as you would for permissions with grown-ups, the best user experience is only to ask for consent at the point in the flow where the purpose of collecting data is obvious and of value to the user.

For example, if you want to enable push notifications, you should ask for permission only at the point that the user chooses to enable them. Similarly, if you are running a competition with a physical prize giveaway, don't ask every user that enters for their mailing address, just ask the winners.  If your game has multiple features that require data collection, consider revealing these in stages, so that users are accessing new features and giving new consents as their commitment to your service grows.

But that’s not all
Once the parent or guardian has been notified or has granted consent, there are further GDPR-K obligations you need to be aware of: new purposes, re-consents, and subject data access rights.

Under GDPR-K, if your business comes up with an awesome new product idea, and you would like to use personal data you’ve collected in a new way, you must obtain a new consent for the new purpose.

Also, when a user reaches the age of digital consent in their country, you’ll need to obtain consent directly from them in order to continue processing their data.  Acceptable user flows for this re-consent process are still being debated, but it should be possible to comply whilst avoiding interruption of the service. The simplest solution is to present the user with an alert or notification the next time they access your app or service, informing them that their parents’ consent has expired and they need to provide direct consent themselves.  Don’t forget to provide clear and transparent privacy notices in a language the user can understand, in keeping with the core principles of GDPR.  For more on notices, see Part Three.

Finally, bear in mind that the law requires you to allow your users (or their parents) to access, revoke or modify their consent at any time.  This means at a minimum providing a contact they can reach to communicate their wishes, or (better yet) giving them access to a parent portal (like this one) where they can review and modify their consents.

Managing the complexity
If this all sounds somewhat onerous and complex, consider using a compliance platform like our Kids Web Services, which manages the entire kid and parent registration flow, handles the verification and opt-in/out flows automatically, understands and automatically applies the correct legal requirements in whatever country your users are in, and enables parents to manage consent through our parent portal.

Kids Web Services can be fully self-service, and provides mobile and web SDKs and APIs to allow you to integrate our platform directly into your apps and sites.

That brings us to the end of our GDPR-K readiness series. If there are other topics you would like us to write about, please reach out directly on privacy@superawesome.tv.  And, as always, you can follow our blog posts here.