Is GDPR the Kryptonite of Kids' Sites?

Posted by Emma Monks on

Emma_Monks_Blog_GDPR_LARGE_FINAL.jpgOn 27th April 2016, the EU adopted a new regulation called the General Data Protection Regulation (GDPR) to replace the existing Directive 95/46/EC on data protection. The new regulation comes into force on 27th May 2018 and, unlike the Directive, it is binding for all member states of the EU.

This new GDPR has some fairly major implications for companies who operate what the Regulation refers to as an ‘information society service’ which is defined as ‘any service normally provided for renumeration at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, at the individual request of the recipient of the service’. This definition would encompass almost any site operating for commercial gain, even if access for the user is free.

So what are the implications?

Currently, companies operating in the online kids and teens space work to comply with the US ‘Children’s Online Privacy Act’ (COPPA) that requires sites who allow access to children under 13 from the US to either seek prior verified parental consent or prevent the child giving away personally identifiable information. Since prior verified parental consent is notoriously tricky to gain, many community and games sites targeting kids and teens opt for either pre-moderating everything on the site, or giving children ‘menu chat’ (a pre-defined menu of phrases the child chooses from) or deploying a white list filter which is a more expansive dictionary the child can use that is pruned of words that could be used to give away such things as names, locations, numbers and other personally identifiable information.

The new GDPR states that the processing of personal data for children below 16 is only lawful with parental consent. The regulation also goes on to state that “Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.” Why the EC didn’t adopt a single age of 13 to dovetail with the US COPPA is bewildering, but what is certain is that this sliding scale of age limits immediately creates a conundrum for sites allowing access to children from the US and EU as, come 27th May 2018, we could easily be in a position where individual EU member states adopt a spread of age ranges from 13 to 16 and leave kids and teens sites with some difficult choices. In practice, faced with different EU member states potentially adopting different age limits, the easiest option for a site will be to set the age limit of 16 for all registrations from the EU and start to either seek parental consent for children younger than that, or adopt the same pre-moderation or chat filtering tactics as they currently do for COPPA compliance.

What impact will this have on user engagement? I’d have to assume quite a lot. In a digital world that is mostly COPPA compliant, the youth of the EU are used to major social media sites age-gating at 13. To suddenly change that ‘gate’ to 16 I can only believe will anger kids of 13-15 who are currently used to free expression online. Nor will 13-15 year olds want to move from free expression to a pre-moderated or white list filter model so, unless all the individual EU member states take a pragmatic approach and decide to align with COPPA, I would foresee a rash of young teens re-registering to their favourite sites with false dates of birth.

Added to this confusion for those of us in the UK is Brexit; currently we simply do not know whether the UK will still be part of the EU come 27th May 2018 so companies in the UK also have to decide whether to prepare for compliance with GDPR or hope that the UK won’t be subject to it. Law firms in the data privacy space are advising that UK sites do prepare for compliance since, even if the UK is not a member of the EU at that point, the Regulation has an extra-territorial effect – applying to organisations outside the EU that offer goods and services to individuals in the EU.

There is no doubt that the new GDPR will pose some major challenges for kids and teens sites allowing registration from children in the EU and we can only hope that, come 27th May 2018, we are facing an EU who have separately decided to align with COPPA.

Find out more

Emma Monks

Written by Emma Monks

Emma is an online safety professional with over 20 years’ experience in the industry. She currently serves as VP, Crisis Intelligence for Crisp, and is a specialist in social media risk detection and protection, in particular for kids & teens social platform safety and compliance. She has worked closely with law enforcement agencies on child abuse and grooming, for instance, and represents Crisp as a member of the board of the Family Online Safety Institute (

Read more posts from Emma »