The end of May saw inboxes flooded with “We’ve updated our terms of service” emails, all in the name of the General Data Protection Regulation (GDPR), a new set of European Union regulations on data privacy and protection. They cover any company operating online in the EU, which, with the prevailing nature of the internet, includes nearly every business on the planet. The deadline to comply passed on May 25—and many are not prepared for what comes next.

“People think they can make an update to their policy, maybe some implementation on the back end, then put the word out to consumers and forget about it,” says Shai Samet, founder and president of Los Angeles-based safety certificate service kidSAFE Seal. “Whether companies take GDPR seriously and see it as an ongoing effort will depend on the enforcement that follows.”

The regulations are long and make for a dull read, but there are several important points that apply to the kids industry, where privacy has become a vital issue. In the US, around 10,000 kids go online for the first time each day, while in China that number is closer to 50,000, according to kidtech firm SuperAwesome. And in a recent survey, Common Sense Media found that nine out of 10 teens think it’s important that sites clearly label what data they collect and how it will be used.

While all the articles in GDPR apply to kidtech, article eight (entitled GDPR-K) is specifically earmarked for those hoping to attract the youngest generation’s attention. The major change article eight presents is letting countries decide what age someone is considered a child online, ranging from 13 to 16. Previously, that definition was 13 across the board.

Germany, the Netherlands, Italy and Ireland have all opted for age 16, while France upped its definition to 15. For now, the other EU members are sticking with the status quo of 13. Anyone younger has to ask for parental permission before using an app or site that asks for any personal information. Alternatively, that service has to operate within an anonymous, zero-data environment.

GDPR-K is, in some ways, bringing Europe up to speed with the Children’s Online Privacy and Protection Act (COPPA) in the US, which was introduced in 2000 and updated in 2013. This is especially true when it comes to creating zero-data environments for kids online, an idea started by COPPA.

“I think in a few years this will move from being a law that’s focused on companies, to something that becomes closer to a universal child’s right to have some form of zero-data access to the internet,” says Dylan Collins, CEO of SuperAwesome. “There’s no reason that companies need to access the personal information or data of an eight-year-old. It’s simply not required.”

However, the two regulatory acts differ in important ways. For instance, GDPR-K states that any new privacy policy updates must be written in plain language that’s understandable even to a child. Additionally, fines for companies failing to comply with COPPA are US$40,000 per user violation, while GDPR fines are up to 4% of global revenue or US$23.4 million (€20 million), whichever is higher. These fines went into effect May 25, and several complaints have already been filed against big techcos.

“You’re going to see action taken by the EU or various governments, and then you’re also going to see actual civil lawsuits against these companies,” says Collins.

With digital ad budgets in the kids space up 25% year-over-year and set to reach US$1.2 billion by 2019, according to PwC, these regulations are not only important for kids, but for businesses operating in the space. A recent survey conducted by UK-based software company Sage found that 91% of American companies lack awareness about details of the new regulations, and 84% don’t at all understand GDPR’s implications for their businesses. And even if a company doesn’t identify as kidtech, any technology, casual game or popular mobile app loved by kids will now be considered “child-directed” and fall under these regulations.

For companies reaching younger audiences than they intended, this could be a headache. However, for companies staunchly in the kids space already, such as Hopster, the shift has been relatively painless.

“We almost designed Hopster to be GDPR-compliant before GDPR was a thing, in that we’ve been pretty careful not to collect data we didn’t need,” says Nick Walters, Hopster’s founder and CEO. “One thing that got people into trouble in the past is that they talk about big data and how important it is, leading them to stack up data they don’t need just for the sake of having it. We have never collected children’s names, and it’s perfectly possible to use Hopster without giving us your email address because you can just subscribe through iTunes.”

The UK-based SVOD and game app did have to make some changes to prepare for GDPR, including consolidating the data it does keep into one repository, making it easier to comply with the right to be forgotten. Under the new regulations, people can submit a request to any app, so that when they delete their account and remove it from their device, the data stored by the company will be scrubbed within 30 days.

Walters says Hopster has already had its first few requests to be forgotten, and his team was able to quickly comply following recent updates to the platform’s back end. Hopster also compiled a 3,000-word GDPR policy bible so that everyone in the company knows how to comply with the new rules, which is also available for Hopster’s partners and users to reference.

To further ensure things were working harmoniously, Walters appointed Hopster’s CTO and general counsel to run point on all things GDPR for the company.

“Do not put your head in the sand and assume this isn’t going to be an issue for you. It’s complex and there’s a lot to do, but it’s perfectly manageable. And actually, I think this is legislation that the kids industry should be embracing,” says Walters.

Barcelona-based kids game studio and publisher TutoTOONS also has some advice for the kidtech industry regarding the new legislation: pay attention to who you’re working with.

“The partners you’re working with can access data inside your app,” says Damien Bruneau, co-founder and head of business development at TutoTOONS. “You need to be careful about what kind of agreements they have, what data they can collect and for what purposes, and make sure it’s all compliant.”

Bruneau says the publisher was having problems with an ad network partner that wouldn’t take responsibility for GDPR. TutoTOONS avoided using behaviorally targeted ads or collecting user data on its end, but couldn’t ensure this partner was doing the same. Ultimately, the publisher cut ties with the company in question, and now TutoTOONS works with SuperAwesome, Kidoz and Google’s AdMob to get kid-specific ads that aren’t collecting and storing data.
“We only target kids, and they’re generally under 13, so there’s no doubt if we need consent because we need to ask every time. We know what works for kids, and that’s no behavioral targeting,” says Bruneau.

To help kidtech companies navigate these uncharted waters and offer proof that they’re following the rules, kidSAFE Seal is working on a GDPR Seal to join its kidSAFE Certified, COPPA Certified and Listed Seals. However, it will need to work with various governing bodies to get approval from the necessary European authorities to certify companies.

While some COPPA-compliant businesses will be ready for the changes ahead, Samet does have concerns about GDPR’s changes to age limits. If all under-17s are considered children in some markets, companies may decide it’s too troublesome to include them on their platforms. “It’s very possible that, given the burdens of compliance, businesses will just change their terms of use,” he says. “Then you’ll have more kids lying about their age to get on those platforms, which, in the end, would be less protective to them.”

Samet notes that companies are now caught between a rock and a hard place, because there’s no easy way to prove how old someone is without collecting even more data, which goes against the very nature of the regulations. As a result, he says it’s likely the industry will turn a blind eye to kids gaming the system.

All eyes will be on the kidtech space, however, to see who is hit with the first fine, as that will determine the tone of the legislation and the EU’s willingness to go after violators. That, in turn, will affect how compliant companies feel they need to be.

“Enforcement is going to be key. If GDPR is going to be heavily enforced, we’ll find that it’s taken more seriously in the long run, and adopted and embraced. At that point, we might start to see some businesses fail because the burden of compliance is too great to sustain a business,” says Samet. “But I don’t think that’s going to be just for the kids sector—it will hit the whole digital sector for companies operating in Europe.”