Snapchat targets GDPR compliance in challenge to social media rivals

Organizations often view regulatory compliance as a burden, but Snapchat has snapped at the chance to label itself as the social media platform that takes data privacy seriously. Last week, it unveiled the changes it has made to comply with the EU General Data Protection Regulation (GDPR), which, although an EU law, applies to organizations across the globe that offer goods and services to, or monitor the behavior of, EU residents.

The most significant revelation is that, unlike rival messaging app WhatsApp, Snapchat will continue to allow under-16s to use its service. The GDPR forces organizations to seek parental or guardian consent for minors (the default age is 16, but EU member states can choose to set the threshold anywhere between 13 and 16). Facebook-owned WhatsApp removed the burden that comes with this requirement by setting the minimum age for registration at 16, but this option was less viable for Snapchat. Teenagers are its most loyal and active users, so retaining this demographic was imperative. The move will also allow the app to welcome former WhatsApp users who can no longer use the service.

The decision comes at a price, though. The GDPR’s consent requirements are tough to navigate, and there are extra rules for children. Snapchat will have to go to great lengths to get and maintain consent, and if it isn’t vigilant about the way it does this, it runs the risk of violating the Regulation and facing disciplinary action. To mitigate the risk, Snapchat’s says it will reduce the amount of data it collects from minors.

What else is it doing?

Snapchat also revealed that it has created an online privacy center, where users can read its privacy policy. The wording has been simplified (in line with Article 12 of the GDPR) and explains what the data is used for and how long it will be retained (in line with Article 13).

Its consent procedure has also changed, requiring users to opt in to features on Lifestyle Categories and Discover. Likewise, it makes it easier for users to opt out of those features if they change their mind.

Although it didn’t publicly announce it, Snapchat’s compliance project will have also included a litany of behind-the-scenes activity that will go a long way to keeping personal data secure. This includes steps such as appointing a data protection officer (DPO) to oversee regulatory compliance, placing staff on GDPR awareness courses and implementing procedures for them to follow, and ensuring that its defense technologies are up to date.

What does GDPR compliance look like?

There is no single, best practice approach to GDPR compliance, as every organization has different priorities and needs. Even very similar organizations such as Snapchat and WhatsApp found different solutions to child consent requirements. The important thing is to assess each aspect of the GDPR and find a way to comply that suits your organization’s needs.

“That’s all well and good,” you might be saying, “but the GDPR takes effect in a matter of days.” It’s true that there’s not much you can do by May 25, 2018 (if that date hasn’t already passed by the time you’re reading this), but it’s not as if you have to stop preparing once the Regulation takes effect. Many organizations have only recently heard about the GDPR and have not been able to comply in time. If you’re in this situation, don’t panic. As long as you can demonstrate that you’re taking steps towards compliance, you’re likely to receive favorable treatment from your supervisory authority.

One of the simplest requirements to comply with is to provide GDPR staff awareness courses to anyone in your organization who handles personal data. You can do this internally or find a third-party course, such as our Certified GDPR Foundation Training Course.

The latter option is preferable if you don’t have the time, resources, or expertise to train staff, or you want demonstrable evidence of your employees’ knowledge. Our one-day course concludes with a 60-question exam, and those who pass receive a GDPR Foundation qualification.

You might also be interested in attending our free webinar: Why should North American organizations comply with the GDPR? It provides an introduction to the Regulation, and explains how its requirements relate to other laws and why you need to comply.

The webinar takes place on Thursday, May 31, at 1:00 pm (EDT). If you can’t attend, the presentation will be available to download from our website, where you can also watch our other webinars.

Register for the Certified GDPR Foundation online training course >>