Historically the European Union’s Directive on data protection did not explicitly mention the privacy rights of minors, but applied the same data protection principles to children and adults alike.1 That said, there was recognition within the EU that when applying general principles of privacy the age of a data subject may be relevant. For example, while the EU Directive permits companies to collect and process data about a person if the company receives their “consent,” a company may not be able to obtain valid consent of a child if local law would not view a child as having sufficient capacity to give such consent.2
The EU’s new General Data Protection Regulation (“GDPR”), which goes into force in Spring 2018, specifically recognizes that “children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights ….”3 Like the United States, the GDPR also requires that a company obtain the consent of a parent if it offers an information society service to a child.4 An “information society service” refers to most electronic services that a child might use, and that requests information about the child.5 The requirement that consent be obtained applies to information collected from children who are below the age of 16, although member states have discretion to lower the requirement so that, like the United States, it only applies to children who are below the age of 13.6 The following provides a snapshot of information concerning fines.
The largest fine obtained by the FTC in the United States for a violation of COPPA.7
The percentage of a company’s revenue that may be fined if they fail to comply with the GDPR’s requirement to obtain parental consent.8
What to think about when reviewing your website for compliance with US law and the GDPR:
1. Article 29 Data PRtoection Working Party, Working Document 1/2008 on the protection of children’s personal data (General guidelines and the special case of schools) WP 147 (Feb. 18, 2008).
3. GDPR Recital 29.
4. GDPR Art. 8(1).
5. EU Directive 98/34/EC Art. 1(2). The term does not, however, refer to all online activities that collect information from children. For example, electronic games in an arcade, ticket machines, cash machines, etc. are not included. Id. at Annex V.
6. GDPR Art. 8(1).
7. United States v. Playdom, Inc., Case No. CV11-00724 (C.D. Cal. May 24, 2011), https://www.ftc.gov/sites/default/files/documents/cases/2011/05/110512playdomconsentorder.pdf.
8. GDPR Art. 79(3)(a).