The UK is set to introduce sweeping new regulations to protect children’s data online, including in effect walling off large swaths of the web to under-18s, despite widespread criticism from a range of companies that operate online services.
The new rules, proposed by the Information Commissioner’s Office, seek to limit online practices that might harm children, such as location tracking, content personalisation and tailored behavioural “nudges” such as YouTube recommendations and targeted advertisements.
In order to comply with the code, companies would need to either make all of their services “child-friendly” — by turning off default functions such as geolocation and personalisation — or otherwise “age-gate” their websites, requiring users to verify their age to gain access to them.
The regulations, which could fundamentally reshape scores of online businesses, would apply to any company with online services that a child might use, ranging from ecommerce sites such as Asos to search engines, news sites and social media platforms, the ICO said.
If implemented, they would carry the same potential penalties as the EU’s General Data Protection Regulation — including a fine amounting to 4 per cent of global turnover for companies that do not comply.
The UK has been one of the first movers globally in looking to safeguard children’s privacy online. But there are concerns that the ICO’s new regulations may bring in excessive constraints, while unfairly advantaging bigger companies.
“The UK has been pioneering in relation to its protection of children on the internet, particularly its move toward protecting children’s data online, which is very fresh,” said Victoria Nash, deputy director of the Oxford Internet Institute and an expert on children’s use of digital services.
“However, my two concerns are that this wide-ranging regulation tends to increase monopoly power of big tech firms, rather than decrease it. The second is a slight residual concern that it focuses on specific features or tools [like geolocation], which aren’t in themselves always problematic.”
Ms Nash’s concerns were echoed by tech representatives from large and small firms, whose objections ranged from the ICO’s indiscriminate targeting of all online business, to its potential to strangle start-ups and its conflation of issues of inappropriate content with data protection.
“[The new framework] was developed by the ICO to a tight deadline with less industry engagement than is normal for an initiative of this scope,” said Antony Walker, deputy chief executive of TechUK, an industry group representing Google, Facebook, Amazon and others. “In particular, we are concerned that it could lead to some unnecessary age-gating of online services.”
Others working for digital start-ups in the UK said they were worried that the regulation was trying to solve the problem of harmful content through a broad-brush approach that would hit smaller companies.
“This discussion started around how social media companies are acting, but it hits the whole digital economy. And you are actually going to drive traffic to the big tech companies that are financially able to build products that comply with this code,” said a person close to the start-up industry, who did not wish to be named. “The breadth of the code, the age verification issue — it’s just a badly drawn piece of legislation.”
In a draft of the regulation published in May, the ICO said it expected all companies to collect users’ personal information in order to verify their age. However after a backlash from online companies, it has softened its stance, saying that it will review the requirements for verification depending on the type of data being processed.
Despite criticisms, the new code has been touted as a pioneer.
“Children and their parents have long been left with all of the responsibility but none of the control over protecting children’s data. The Code will change this by forcing companies to put the ‘best interests’ of children above their own commercial interests,” said Beeban Kidron, a member of the House of Lords who originally proposed the amendment to the law.
“There are laws to protect children in the real world — film ratings, car seats, age restrictions on drinking and smoking. We need our laws to protect children in the digital world too,” said Elizabeth Denham, the UK’s Information Commissioner, who was responsible for drafting the rules. “In a generation from now, we will look back and find it astonishing that online services weren’t always designed with children in mind.”
