The European Union is in the process of approving a new General Data Protection Regulation [“GDPR”] designed to modernize and consolidate the privacy requirements of handling data obtained from citizens of the EU online. One surprising aspect of the new GDPR is Article 8, which sketches out a COPPA-like regulatory process for the collection of information from minors.
While Article 8 mirrors the general approach found in COPPA, one provision is causing a good bit of alarm with privacy and legal commentators. Instead of setting the cut-off age for compliance at “under 13” as with COPPA, the GDPR uses a default age of “under 16.” Member states will be allowed to lower this age, but many of the 28 states are expected to retain the “under 16” age limit. With this in mind, we asked experts in the COPPA field for their thoughts on the impact the new age cutoff will have on sites and apps dedicated to teens.
“I think the impact of GDPR will be foundational for the mobile game, social media and online content markets. For studios and publishers it’s like there will be 28 new versions of COPPA, each with its own age of consent, parental verification methods, and language. And it’s much more likely that GDPR will be enforced aggressively by at least a few of the 28 member countries. France is even talking about adopting GDPR a year early. Since GDPR requires active consent before processing data from any EU user, regardless of their age, all publishers will have to retool their sites and apps to “design for privacy.” To help publishers solve all of these new GDPR compliance issues, AgeCheq recently added GDPR support to our cloud-based service.
With respect to your specific question, there’s a big difference between a 12-year-old and a fifteen-year-old. Although the authors of COPPA obsessed about the ways a 12-year-old child could potentially spoof the system to give themselves permission to play a game, we have not seen that in practice. However, I think a 15-year-old in today’s society is very likely to try to outsmart a parental identity system to do what they want. We’ve all been fifteen, right? I agree with those that say raising the age of consent will not protect the privacy of more children, but will probably foment more deceptive activity from 14 and 15-year-olds. The UK has stated they are staying with 13, but it seems likely that at least some of the other EU countries will choose higher ages of consent.
For game publishers, the effect of raising the consent age will be enormous because they have generally ignored children under 13 due to the extreme effort required to legally include them as users. But children 13-15 are a completely different demographic, and I think publishers will not be able to just walk away from that age group as they did with U13. That age group is extremely active on mobile games and social sites, and statistically, they are big spenders on virtual goods. I think GDPR is the ‘tipping point’ that will convince content publishers to actually ‘design for privacy’ and handle everyone’s privacy properly. AgeCheq’s mission is to streamline and facilitate that effort with tech solutions that impart the least friction on user acquisition, retention and of course, profitability.”
“The proposed changes to the COPPA laws are a nice effort to better match the EU to the US regulations, however, miss the point as to the difficulty in complying and enforcing these laws. First off, these laws still create a miss-allocation of incentives for brands, kids or parents to be 100% forthright in these digital transactions. Brands are the only ones penalized by these regulations while kids (who are true digital natives) are able to skirt the best age gates, all of which leaves parents in the dark. The end result is these sites are forced to diminish their features, UI and UX for all users with the chance that their users are under the legal age (and honest about it). If the government really wants to make an effect of keeping kids safer online, there needs to be a change in the penalties or incentives for the kids and parents that use these sites or experiences to give them a reason to truthfully comply with the laws. Our mission at Kpass was to flip the model on its head and give young people a trusted digital identity online that they wanted to use, parents better tools to monitor and manage their behavior, and brands the easy ability to monitor and manage their compliance. It was an extremely lofty goal, but we looked at this crazy situation from a product perspective and created something great for all users.”
“In my opinion, moving the age gate to 16-years old would work even less well that the current 13-year old version works.
We’re totally in favor of teens having access to social media. Preventing them from accessing popular online properties would seriously inhibit their access to educational and social opportunities.
We would prefer a world in which parents had more control over the digital accounts of minors in their custody, but it is not possible given the current environment and commercially available technology.
The current 13-year old age limit has effectively trained young would-be internet users to lie about their age, and the social media companies have been complicit. Raising the minimum age to 16, or anything else, will only encourage more dishonesty.
In practice, the social and gaming companies appear to be fairly well insulated. It’s difficult for them to prove a user isn’t 12, or 15, so once a user has affirmed their age, life goes on. The change as proposed will have no impact on the social and gaming networks as kids figure out how to get around it.
A second concern that we have if every minor represents his/her age as 16 or higher is that the number of unwanted advances from older suitors is likely to increase, and, therefore, the attendant consequences. Think of it as a version of the “Hey, she looked 18 to me” defense in the case of sex with a minor.”
Co-Founder at ThirdParent
As for myself, the “under 16” age limit is a head scratcher. The average 15-year-old is knowledgeable when it comes to the web. The idea that parents need to provide parental verification for each site or app these kids visit is overkill. Moreover, the requirement raises serious questions about whether Article 8 violates the right to free speech of teens. COPPA has always faced the risk of a serious free speech constitutional change, but the government can, at least, make a credible argument that there is a governmental interest in protecting relatively young children from data collection practices of the large online entities.
But under 16?
Expect free speech proponents in the EU to serious consider bringing a legal challenge to Article 8 of the GDPR. If nothing else, it will be humorous to watch the EU courts struggle to determine at which age a teen can be assumed to understand the consequences of their actions online.
Richard A. Chapo, Esq.
Thank you to all the parties who contributed to this article.