Advertising Platforms are increasingly subject to regulations, usually indirectly, as they seek to provider their services to advertisers who are subject to regulation for their product or service:
- Some services, such as gambling, may only be permitted to advertise to an adult – or mostly adult – audience.
- Advertising of other goods to children may be completely prohibited.
Platforms, particularly those serving ads in a targeted way, are also subject to data protection regulations which are more demanding when children’s data might be involved.
In this article, we will address only EU-wide requirements, plus a short footnote on the UK. But a general principle applies, that depending on domestic legislation, advertising platforms may need to know, with varying degrees of accuracy and certainty (“levels of assurance“) the age of those to whom they are serving ads.
EU Wide: Audio Visual Media Services Directive
Advertising Platforms are required to have in place measures that are appropriate to protect minors from content which may impair their physical, mental or moral development.
Advertising Platforms must establish and operate systems for obtaining assurance as to the age of potential viewers. Advertising Platforms must ensure that restricted material that has the most potential to harm the physical, mental or moral development of children must be subject to the strictest access control measures.
In effect, this means that if your site includes content that would be classified as only suitable for 18+ in a cinema, or would not be permitted at all, then you need to have implemented rigorous age verification mechanisms to ensure than no child under the age of 18 can access this content. This is a hard and fast rule applied up to the 18th Birthday, so estimation techniques will not work for users just over 18, but still within the margin for error of any given estimation technique.
This directive came into force in September 2020, but is only effective in any given Member State when it has been transposed into domestic law. Services fall under the jurisdiction of the country in which they are ‘established’ – which usually means the country of their headquarters within the EU.
Already in force
Austria, Belgium, Bulgaria, Germany, Denmark, Finland, France, UK, Hungary, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Portugal, Sweden
Scheduled to come into force
Cyprus – 30 June 2021 (with effect from 30 June 2022)
Czech Republic, Estonia, Spain, Croatia, Ireland, Poland, Romania, SLovakia, Slovenia,
(Data correct May 2021 – check source for updates.)
Enforcement and penalties
The regulator, Ofcom, will enforce AVMSD by:
- Issuing legally binding decisions if a VSP is in breach of its obligations for not taking appropriate measures to protect users;
- Setting out the steps required to remedy the breach and ensure compliance;
- Imposing financial penalties of up to 5% of ‘applicable qualifying revenue’ to ensure deterrence; and
- Issuing a direction to suspend or restrict the entitlement to provide a VSP.
EU Wide: GDPR (in force today)
You should be sure that your users are at least old enough to give consent for their personal data to be processed, if you rely on consent under Article 8 of GDPR, as a basis for processing some or all personal data you obtain from your users. (Remember, personal data even includes just an IP address.) In the UK, this “age of digital consent” is 13 but it varies between EU member states so if you have users in the EU, you will need to also determine their location and apply the relevant age as part of this check. Click here to see a map of the digital age of consent provided by our member PRIVO.
Enforcement and penalties
Tools at the disposal of the regulator, the Information Commissioner, include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, there is the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.
USA: Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Rule seeks to put parents in control of what information commercial websites collect from their children online. It applies globally to sites providing a service to users located in the USA.
You’re covered by COPPA if:
- Your website or online service is directed to children under 13 and collects personal information from them;
- Your website or online service is directed to a general audience, but you have “actual knowledge” you’re collecting personal information from a child under 13. The FTC has said that an operator has actual knowledge of a user’s age if the site or service asks for – and receives – information from the user that allows it to determine the person’s age. For example, an operator who asks for a date of birth on a site’s registration page has actual knowledge as defined by COPPA if a user responds with a year that suggests they’re under 13. An operator also may have actual knowledge based on answers to “age identifying” questions like “What grade are you in?”; or
- You run a third-party service like an ad network or plug-in and you’re collecting information from users of a site or service directed to children under 13.Third-party sites or services may have actual knowledge under COPPA, too. For example, if the operator of a child-directed site directly communicates to an ad network or plug-in about the nature of its site, the ad network or plug-in will have actual knowledge under COPPA. The same holds true if a representative of the ad network or plug-in recognizes the child-directed nature of the site’s content. Another way an ad network or plug-in may have actual knowledge: If a concerned parent or someone else informs a representative of the ad network or plug-in that it’s collecting information from children or users of a child-directed site or service.
Websites and online services covered by COPPA must post privacy policies, provide parents with direct notice of their information practices, and get verifiable consent from a parent or guardian before collecting personal information from children.
UK Only: Age Appropriate Design Code
The is in force today, but a grace period is in operation until 2 September 2021.
This statutory guidance, also known as “The Children’s Code” requires online services which process personal data (whether or not this is on the basis of consent or any other reason permitted under GDRP) to consider if they could risk the moral, physical or mental well-being of children under 18. And if so, to put in proportional measures to safeguard children and young people.
You need to consider the content of your site, and ask yourself how any current or future content might be harmful to children – so for example:
- Where adults can interact with minors, there is a risk of grooming, the inappropriate exchange of photographs and conversations etc. Indeed, research shows that this is increasingly a problem between minors as well.
- If video sharing sites facilitate could physical encounters by allowing users to communicate with one another, there may also be a physical risk if children agree to meet other people through the service.
Our opinion is that video sharing sites established in the UK clearly require age verification to be in place to identify children using the site so they can be protected from harmful content.
The level of rigor required is a matter for the judgement of the sites concerned – giving consideration to the nature of the content on the site, the number of users under 18 found to be using it, etc. But given the reputational risk if a child is harmed by your service, we recommend at least a standard level of assurance. See our page on levels of assurance for an explanation of the methods of age verification that achieve this degree of confidence in an age check.
Enforcement and penalties
As for GDPR above.