Trick question. When was the last time the United States and European Countries went to war? The Revolutionary War? No – now. The countries are warring over the right to privacy online, and the EU has just enacted a new General Data Protection Regulation [“GDPR”] that contains 99 master regulations on privacy comprising 250 plus pages. Many of the articles are controversial. The EU has been on a roll when it comes to passing controversial regulations and directives such as the much-mocked link tax. However, one article in the GDPR stands out as a shocker – Article 8 covering the collection of personal information from kids online.
The United States has a federal law known as COPPA – the Children’s Online Privacy Protection Act. Under this law, businesses collecting information from children online under the age of 13 must go through a labor and technology intensive compliance process. Fail to do so and the FTC can seek damages of up to $16,000 per child in a court of law.
The EU has not enacted a law that is equivalent to COPPA. Sure, a few member states passed laws applicable to just their country, but enforcement against companies located beyond the borders of those countries has been non-existent. The situation is now changing. The new GDPR contains a regulation that will be law in every member state – Article 8.
Article 8 reads:
Conditions applicable to child’s consent in relation to information society services
1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
The regulation is a tad bit vague, and EU committees will need to put meat on the bones, but there is a particular piece of information in section 1 of Article 8 that should give all online operators pause. The age cutoff for Article 8 will be 16, not 13 as used in the United States.
Consider how many 15 years olds are likely using Facebook, and you can see how this new age limit is alarming. Tens of millions of kids 13 to 15 are using the web, a fact that is about to make compliance with Article 8 a nightmare for many online businesses.
There is, of course, an escape clause in Article 8. Each member state of the EU will be allowed to lower the age cutoff as low as the COPPA standard. A few will. Perhaps many. The chances of all 28 nations taking this step, however, is remote. Companies must plan for a cutoff age of 16 until matters are clarified.
If I were you, investing in the stock of aspirin manufacturers might be a smart move.
Richard A. Chapo, Esq.