The European Union enacted the General Data Protection Regulation in all its 261 fascinatingly horrific pages of bureaucratic vagueness on April 14, 2016. Part and parcel to the new Regulation is Article 8, which creates a COPPA-like requirement for businesses collecting information from children online. Companies collecting European traffic face a complex compliance future.
In all its glory, the final version of Article 8 reads as follows:
Conditions applicable to child’s consent
in relation to information society services
1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
There are two key aspects of the new regulation to take into account. The first is the flexibility on age limits. 16 is the default age, which will be alarming to many gaming and teen sites who have skirted COPPA compliance under the theory their offerings were not directed at children under 13. Making the same argument for kids under 16 is an entirely different matter given most 15-year-olds spend a massive amount of time on the web.
The second essential characteristic of Article 8 is the lack of specificity. The enactment of Article 8 should act as a warning to companies, but not a reason to panic. Member states still need to designate an age limit between 13 and 16. The EU will also require further time to create sub-regulations detailing what constitutes verified parental consent. However, companies should expect a set of rules that differs significantly from the FTC COPPA guidelines. The FTC Rule has mostly produced a weak compliance environment, a fact undoubtedly not lost on regulators in the EU. In theory, the GDRP will not be enforced for two years, but companies need to start contemplating compliance adjustments now to avoid being caught out in 2018.
Penalties for violating COPPA run $40,000 per violation. The EU takes a different approach. Companies found to violate Article 8 will be fined up to four percent of their worldwide gross or up to 20 million pounds. Article 8 will apply to companies both in and outside of the EU so long as personal information is collected from citizens of the Union. How exactly the EU intends to enforce such penalties against international companies without a physical presence in the EU is not entirely clear, but will undoubtedly generate a decade or more of litigation.
Is the EU issuing a new master privacy regulation to protect the information of citizens or is this a concerted effort to attack big online businesses predominantly located in the United States such as Google and Facebook? The answer appears to be a mix of both. While privacy concerns are legitimate, one can’t help but notice the new regulations seem to focus on crushing business models built on the monetization of data, aka, the business model of Facebook and Google. While the EU may think it is striking a blow for privacy, there is a real risk the new GDRP may result in the continent being isolated as foreign entities reject EU traffic to avoid paying the significant cost of complying with the GDRP in general or Article 8 in particular.
Time will tell.
Richard A. Chapo, Esq.