Claire Quinn is PRIVO’s VP of Compliance and DPO, based in the UK. Claire works hand in hand with businesses to make sure they are in compliance with regulations as they relate to children’s privacy. Here are a few of the most frequently asked questions and answers:
How does the GDPR affect businesses interaction with kids online?
CQ: If a service is child directed or collects and processes a child’s personal data then it must comply with the regulation. It applies to companies globally not just those based in the EU. Understanding what data is collected and processed, the lawful basis for processing the data and who it is shared with is vital. It’s then important to implement compliant processes and to record those policies and processes, a regulator may well want to review them at some point
Comparing the GDPR to the United State’s COPPA legislation, how do you see the movement for more protection of minors?
CQ: The GDPR has prompted a wave of new privacy legislation including the California Consumer Privacy Act ( CCPA) to the Vermont Privacy Law and Washington Privacy Act. Canada and Australia have updated their privacy laws and revisions to COPPA have been proposed in the US. The Bill proposes to increase protection for minors up to the age of 15. The GDPR aims to put individuals in control of their data and the number of data breach notifications and ensuing actions by data protection authorities in the EU have put the issue of privacy in the spotlight. News about use and misuse of data hit the headlines weekly. Privacy is a hot topic and there is a growing and sharper focus on children’s privacy. The UK DPA, the ICO, is working on an Age Appropriate Design Code and the EDPB’s work plan is focused on guidance for dealing with children.
Verifiable Parental Consent is a popular topic with all regulations, what kinds of organizations need to obtain parent consent?
CQ: Information Society Services (ISS) include websites, apps and connected devices and these all need to comply if they are directed to or attract children. Obtaining consent really depends on whether or not consent is the lawful basis for processing the personal data collected. Organizations need to understand what categories of data are collected from the child and how it is used. Some processing such as profiling including for advertising, requires consent, it is also important to know the age of consent in the different members states where it is processing children's information.
Being an EU resident, Have you noticed a big change regarding your own personal data and public perceptions about privacy?
CQ: Yes and on several levels. Annoyingly the first few months after the regulation came into force we were all plagued by email requests for consent from marketers which led to a degree of consent fatigue. In many cases the consent was not required, in some it was but the method of gaining that consent was questionable. This was quickly followed by numerous data breaches hitting the headlines and since then privacy has become the new public watchword. There is an obligation to notify the authorities within 72 hours if your organization has a security
breach. With transparency requirements key there’s no way to hide. People have woken up to the fact that their data is valuable and has at times been misused. This awareness has meant the need for organizations to build trusted brands with integrity, it’s vital to success. Almost weekly our newspapers carry full page ads from Facebook telling us why we should trust the tech giant and what they are doing to “improve”.
We are almost one year into the GDPR with reportedly 95,000 citizens complaints already filed. Do you see this number gaining even more momentum?
CQ: The number of complaints may well slow. However, individuals are much more aware that their personal data is being collected and sold, in the past many people haven’t understood what is happening to it behind the scenes. The tech firms have not been transparent, we see that with some of the high profile cases in the news. What will grow is people’s awareness which may lead to them actioning their rights under the regulation. There is a generation of children who are growing up to realize that what they shared on social media would have been better kept private for all sorts of reasons. This generation will start to exercise their right to be forgotten under the GDPR. Interestingly The proposals for extending protection for children under COPPA also include an “erase” button.
How do you see countries that are not in the EU moving towards protecting kids online?
CQ: The GDPR has sparked a wave of new privacy laws and updates which will to some degree include obligations around children’s data . To date COPPA and the GDPR are the most comprehensive laws when it comes to protecting children in the digital world. It’s important to remember that both have long arms. US based organizations must treat all children compliantly under COPPA globally as well as comply with local legislation. The GDPR requires that an EU controller processing the data of any individual within the context of its activities complies regardless of the location of the individual. Organizations outside the EU processing the data of an EU data subject must comply with the GDPR. Therefore organizations globally are still impacted whether the countries bring in new legislation or not.