The concept of privacy is more cherished in Europe than it is in the United States. Given this, it is a bit odd the EU has no privacy law devoted specifically to the collection of personal information from children online when the United States has had the Children’s Online Privacy Protection Act since 1998. This is about to change with the EU Data Protection Directive that appears set to be enacted in early 2016.
The Data Protection Directive is a complex document with 91 articles covering different privacy matters. As is typical in Europe, the new directive constitutes a maze of legal issues with enough vagueness to leave several critical regulatory requirements open to interpretation. The provision covering data collection from children online is not one of these vague regulatory components. The EU appears to approve of the legal approach used in the United States for child data collection, and has simply adopted the basic foundation of COPPA. Article 8 codifies the regulatory language as follows:
Processing of personal data of a child:
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.
4. The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
While Article 8 is rather concise, Section 3 suggests further directives will be issued to clarify specific data collection practices. The current belief is these regulations will closely mirror the FTC COPPA Rule. Most larger companies are already moving to extend their COPPA compliance efforts to cover traffic generated from member countries of the EU in light of this belief.
Countering FTC Failure
The FTC is charged with enforcing COPPA in the United States but has shown little interest in carrying out its duty. The failure of the FTC has resulted in many companies developing a false sense of security regarding the risk associated with violating COPPA. Such companies will need to revisit this sense of security in light of Article 8.
While the FTC is likely to continue an unwritten policy of ignoring its COPPA obligations, enforcement agencies in Europe take the subject of privacy a bit more seriously. For example, EU agencies have been able to win two significant victories on privacy and data collection issues in just the last two years:
- 2014 – EU forces Google to honor “right to be forgotten” requests in Europe.
- EU – US Data Safe Harbor banned in a class-action Facebook lawsuit in 2015 because of insufficient privacy protections in the United States [NSA spying, etc].
The question is will agencies in the EU devote sufficient resources to pursuing companies for violating Article 8 of the new Directive or take the “head in the sand” approach of the FTC? Predicting the future is always a murky affair, but the sheer volume of companies collecting information from young children without first obtaining parental consent is so large that it is hard to imagine the EU enforcement agencies passing on such easy targets.
The EU Data Protection Directive is expected to roll out over 2016 and 2017. Companies collecting data from children online without parental consent need to wake up to these new obligations. While the FTC may be impotent, European agencies are likely to be anything but.
Richard A. Chapo, Esq.