Companies have had two years to adapt to the EU’s General Data Protection Regulation (GDPR) legislation, which begins on May 25 and limits the amount of data companies across the EU can collect and retain on individuals. But compliance can be a complex issue, especially when children’s apps and services are involved. This is largely because the data-gathering technology was originally designed for an adult audience.

GDPR-K is a separate piece of legislation, designed specifically to address a young audience. In many ways, it mirrors the Children’s Online Privacy Protection Act (COPPA) in the United States, which was passed in 2000. COPPA requires expressed parental consent before any information on children under the age of 13 may be collected. But even though that legislation has been in effect for almost two decades, compliance issues and lawsuits still arise.

“Under 13 digital engagement is an entirely different paradigm to the adult space,” Dylan Collins, CEO of the “kidtech” company SuperAwesome, told AListDaily. “Whereas adult engagement and marketing is about personal data collection by default, under 13 engagements must be done on a ‘zero-data’ basis to be compliant with COPPA and GDPR-K.”

GDPR-K is almost identical to COPPA, except that the definition of “child” is increased to the age of 16 in Germany, Netherlands and France. Although other EU nations set the age to 13, pan-European companies are likely to use 16 as the standard for brand safety’s sake.

Collins notes that the new age threshold means that many app publishers that were previously geared toward “family” or “mixed” audiences will now be considered kids’ publishers—meaning that they’ll have to swap out their adult-oriented adtech services for zero-data equivalents.

Whatever the age, parents aren’t likely to give up their children’s information, so brands will have to rely on zero-data solutions. That means all activity will have to be purely contextual—no retargeting or behavioral targeting allowed when engaging with a pre- and adolescent audience. Data, even for an audience that doesn’t have set tastes or habits, must be collected anonymously for product development and building engagement.

“It’s important to distinguish anonymous usage data with personal information,” Collins explained. “Kids have become one of the fastest growing online audiences, and you can see from recent developments by Facebook, [like] Messenger Kids, the acquisition of TBH and [Google] YouTube Kids, just how significant their influence has become.”

Collins says that the under 13 audience is also a major driver for smart speaker adoption, and children’s engagement with content is becoming increasingly important for both lifestyle and tech brands. As a result, the entire kidtech sector emerged to address issues of safe digital entertainment using COPPA/GDPR-K compliant attribution, programmatic and other zero-data methods.

The kidtech market is on track to reach $1.2 billion by 2019 with digital spending reaching 28 percent of total kid-focused advertising spend, according to the PwC Kids Digital Advertising Report 2017—which was commissioned by SuperAwesome—making it one of the biggest privacy-based digital media markets in the world. The PwC report also estimates that 10-to-20 percent of kids digital ad spend will be on compliant programmatic advertising by the end of 2018.

Companies such as WildWorks—which doesn’t serve third-party advertising for its Animal Jam game, apps or websites—rely on anonymous data.

“Collecting anonymized, aggregated data from our products about play time, content popularity, etc. is important in guiding design and content,” explained Mitch Smiley, marketing director at WildWorks. “Issues addressed by COPPA/GDPR like parental consent, transparency and data security are vital in how this is accomplished, so we’ve chosen to work with a third party—the Better Business Bureau’s CARU (Children’s Advertising Review Unit) program—to verify our compliance.”

Smiley pointed out that an equivalent verification service does not yet exist for GDPR, but COPPA-compliant companies may find it relatively easy to adapt. However, they may need to expand their content marketing strategy.

“Using kids’ data to serve behavioral ads or to build remarketing lists is already prohibited,” said Smiley. “This makes relevant content-based targeting—and doing the necessary audience research to know what that content is—that much more important.”

Smiley compared children’s app marketing to traditional TV campaigns, which are targeted to a specific show rather than the audience. WildWorks focuses on content targeting by staying current with popular trends, media and apps through active community engagement.

“This is a high-touch, costly approach, and we employ a large staff of moderators and an in-house community team to pull it off,” he said. “It’s definitely not as easy or cheap as letting ad networks collect millions of data points from users.”

Child-oriented platforms such as Roblox and Fingerprint use similar practices.

“Roblox relies primarily on word-of-mouth among our community to market and promote the platform,” said Tami Bhaumik, vice president of marketing at Roblox. “To the extent that it utilizes data as a means of engaging new users, Roblox limits its collection of data to what is strictly necessary and acceptable under its strict data policies.”

Specifically, Bhaumik explained that Roblox limits the personally identifying information (PII) it collects from its players to what is necessary to run a safe and efficient platform, adhering to CARU to ensure that data isn’t disseminated inappropriately, which includes preventing underaged users from sharing personal information through in-game chat.

Nancy MacIntyre, co-Founder and CEO of the Fingerprint media platform, added that information for kids products are often for getting a full understanding of user behaviors and acting on them. But since legislation such as COPPA limits online data collection, including locations and IP addresses, analytics must be handled differently, and marketers need to be “completely transparent with parents about storing any data and getting approval to do so.”

Many COPPA-prohibited data collection features such as audience building, remarketing and behavioral targeting are innate to digital advertising platforms. Smiley suggests that, in addition to having a thorough and updated privacy policy, it’s important for companies to have a strong grasp of the technology in order to properly vet third-party partners.

“Many adtech vendors will ask advertisers to place remarketing or behavioral data-collection tags on their site as a standard practice,” said Smiley. “This obviously needs to be avoided by COPPA/GDPR compliant websites and marketers.”

Collins explained that the decline of children’s television has paved the way for kids to become the fastest growing online audience on the planet, but the internet is still a fundamentally adult environment.

“Many brands are still using adult tools and technology, especially adtech, to engage with kids, which means they’re also unintentionally capturing vast amounts of personal data on children,” said Collins.

To keep engagement context-only, Collins echoes Smiley’s observations, stating that brands will need to ensure all partners in their delivery chain are COPPA and GDPR-K compliant, in addition to making sure agencies go through relevant training and certification programs. For example, Bhaumik said that Roblox is a member of the kidSAFE Seal Program, which has been approved by the Federal Trade Commission as an authorized safe harbor under COPPA.

Ultimately, engagement is key, and Collins said that brands shouldn’t just look to technology partners for compliance and brand safety, but as an effective way to engage with a young audience.

“The most successful brands in this space focus on both reach and engagement strategy with their partners,” said Collins.