The new General Data Protection Regulation for the European Union is a game changer for data collection and privacy rights for Europeans. With the final version of the GDPR now published, the language of Article 8 requires online businesses to obtain verified consent from parents before collecting personal information from individuals under 16 online in contrast with the “under 13” standard used in the United States. The lunacy of the regulation only grows more daunting the longer one considers the practical implications.
Teenagers with Accounts
Let’s start with a simple question. Of all the 14 and 15-year-old teenagers in Europe, how many do you imagine are online and have accounts with SnapChat, Facebook, Tumblr, and other popular sites? The number must be shockingly high…as in “dictator-wins-98.9-percent-of-vote” high.
What happens to the accounts for these teens when the GDPR goes live in 2018?
Over a billion members.
Is known to terminate 20,000 accounts a day opened by kids under 13 in violation of COPPA.
Under the GDPR, will the company need to automatically terminate the accounts of all 14 and 15-year-olds in Europe? Will the company be given the chance to identify and seek parental consent from each teen with an account? How exactly will the company differentiate a 15-year-old triggering parental consent from a 16-year-old member who can act on their own? DMV employees cringe at the demonic regulatory ball of red tape about to hit the teen Internet market in Europe.
Your average 14 to 15-year-old tends to have a bit of a sneaky streak. When presented with a new barrier to a site or app they formerly were a member of, most teens are going to make the age filter connection and lie about their age when re-registering. It is the height of stupidity to assume a 15-year-old who posts to their Tumblr account every day before having their account terminated after the enactment of the GDPR isn’t going to gain access to the site by offering a false age. If they are honest, most people in the COPPA compliance field will admit age gateways don’t even work with kids who are under 13. If a teenage wants access to a site, they’ll lie about their age all day long. If a site tries to block the person using an IP address, most teens understand the beauty of proxies.
Who Will Save The Children?
As a society, we tend to be protective of children for a variety of noble reasons. One really must question whether we’ve crossed the line from prudent protection into the realm of the paranoid. Requiring verified parental consent for kids under 16 as called for in the new GDPR is an exercise in practical stupidity and bureaucratic arrogance. Even worse, this attitude is sweeping Europe to the point Europeans now live in a bizarre world where France is threatening to prosecute parents who post photos of their kids online!
Children need to be protected online, but the “under 16” designation used in the new GDPR is absurd. The drafters of the provision are likely to realize as much when they try to work through the practical problems of implementation.
Richard A. Chapo, Esq.