The clock is ticking for enforcement of GDPR in May, which will trigger unprecedented change across Europe’s digital media ecosystem. In this piece for ExchangeWire, Dylan Collins (pictured below), co-founder and CEO, SuperAwesome, explains why it’s not enough to look for GDPR-compliance – in the kids’ space, you also need GDPR-K-compliance.

While the new regulations affect general audience publishers and advertisers, there’s a separate set of requirements for those engaging with the kids’ audience, now being referred to as ‘GDPR-K’. GDPR-K dramatically changes the landscape for kids and family advertisers, agencies, and digital publishers operating in Europe.

Think of GDPR-K as COPPA for Europe

The U.S. pioneered a kids’ digital privacy law with COPPA (Children’s Online Privacy and Protection Act). This law prevents the capture of personal information from under-13s (e.g., cookies) and thus banned behavioural advertising, retargeting, etc. COPPA ultimately led to the creation of what is now the biggest privacy-based digital ad market and, in parallel, the emergence of ‘kidtech’, ‘zero-data’ tools for brands to safely engage with kids.  

Dylan Collins, Co-Founder & CEO, SuperAwesome

GDPR-K effectively replicates COPPA in Europe, with some important nuances. It extends this ‘zero-data’ digital environment from the U.S. to Europe and sets the stage for a global standard for digital engagement with kids. As well as larger fines, GDPR-K also puts in place a framework for class action lawsuits, which we have already seen occurring in the U.S. for alleged breach of kids’ data privacy laws.

Reshaping the landscape for kids & family publishers

GDPR-K will radically change the kids and family publisher landscape in Europe. Many of those probably feel their obligations only extend to GDPR. However, this is not enough for those with a kids’ audience or even a potential kids’ audience.

• Children are now being defined as anyone under 16 in Germany, France, and the Netherlands. This means that many publishers that previously had a non-kids’ audience (i.e., over 13) are now firmly categorised as children. This almost certainly has a huge impact on games publishers, many of which will now be classified as kids’ publishers and, therefore, need to make urgent changes to their ad-stack
• No more behavioural ad targeting. For all those publishers monetising with ads (the vast majority), this will be a huge change. All kids’ publishers will need to strip out their existing ad-tech providers. Critically, this will also mean removing social media plugins, which are one of the top culprits for capturing data on kids.
• You need to rewrite your privacy notices and policies. GDPR-K requires that all language presented in your privacy policy is transparent, concise, and completely comprehensible by both parents and children.

GDPR-K marks the moment where publishers must make a decision about their content and audience. If your audience is ‘family’, you’ll need to commit to a kids strategy, or age-gate your audience between kids and grown-ups. You can no longer be ambiguous about younger users.

What kids’ brands & their agencies need to know about GDPR-K

Historically, as a brand or agency, you could largely ignore what kind of technology was delivering your ad to children in Europe. Under GDPR-K, this will change.

• Unless parental consent is in place (unlikely), any kind of behavioural targeting, profiling, or retargeting of children in the EU will be banned from 25 May. Instead, agencies and brands must stick to contextual advertising and ensure their partners are using dedicated ‘kidtech’ or other technology that is clearly ‘zero-data’ by design.
• Many advertisers have previously used games ad networks to reach kids. Those operations are typically repurposing data-gathering ad tech to deliver kids’ ads into games publishers. Unless those vendors can show you how they’ve re-tooled to be zero-data, you may have a significant liability under GDPR-K.
• Be wary of any 'nuanced' interpretations of the GDPR. In particular, two dangerous and misguided rumours are circulating: 1) that persistent identifiers such as IP addresses and device IDs are not personal information (they are); 2) that advertisers can engage in behavioural advertising with children because they have a ‘legitimate interest’ to do so (they don’t). Don’t be fooled, both notions have been thoroughly debunked by the authorities.

For many brands and agencies, the practical reality of running campaigns across Europe (e.g., movie releases) will mean defaulting to zero data collection from anyone under 16. Although this sounds challenging, the emergence of the ‘kidtech’ sector over the last few years means there are clear solutions for achieving this. It’s not enough to look for GDPR-compliance – in the kids’ space, you also need GDPR-K-compliance.

This seems like a lot of change…

Yes, although that is not unexpected. With the growing number of kids online, we’re now seeing the emergence of global standards for digital kids’ privacy. The good news is that with the rapidly declining kids TV market, digital budgets are growing at 25%  annually (PwC Kids Advertising Report 2017). So, although GDPR-K will trigger major change across the European kids media landscape, the reward for compliance is guaranteed years of growth.