The countdown to GDPR compliance: children and consent
In preparation for The General Data Protection Regulation (GDPR) there must be an active UK decision about how younger children will prove they have parental permission to access ‘Information Society Services’. It’s to enable parental consent to their child’s data collection by the service.
Whether that will end at 13, 16 or somewhere in between remains undecided.
The UK Digital Strategy commits under the heading of “Unlocking the power of data in the UK economy and improving public confidence in its use” to the implementation of the General Data Protection Regulation by May 2018. The Strategy frames this as a business issue and labels data as “a global commodity”. Its handling is framed solely as a requirements needed to ensure “that our businesses can continue to compete and communicate effectively around the world” and that adoption “will ensure a shared and higher standard of protection for consumers and their data.”
The GDPR as far as children goes, is far more about protection of children as people. It contains provisions designed to restore children’s control over their own personal data, and being able to rectify errors and revoke control by others. It talks about data portability, and access rights, rather than consumer rights. Where the boundary lies is not clear cut. Even today there are data rights issues which are also consumer issues and product safety failures.
Article 8 of the GDPR however, introduces specific protections for children restricting their ability to consent to data collection and processing without parental authorisation under a certain age. Unless children lie.
To have been consistent with the age of consent set by COPPA regulation in the U.S. this age would have been set to 13. However, a last-minute proposal raised the GDPR age of consent to 16 and allows for member states to lower this to 13 as each state chooses, and the decision-making process left a lot to be desired.
Sadly, as academics have noted children have not been involved in these decisions about them. Under the work led by Sonia Livingstone at LSE, “Eva Lievens is rightly dismayed that the GDPR has so far taken no account of evidence about or – as Joseph Savirimuthu notes, views from children and young people themselves.”
The GDPR is incredibly important and will shift the balance of rights back towards the individual. But in respect of children’s rights it does little to rectify problems and remains seriously flawed.
Our UK Digital Economy Bill on data should have been the place to address this, but despite repeated requests to do so in Cabinet Office led meetings children’s rights have remained firmly out of sight and out of scope. It will nonetheless affect government data handling and that by business.
That ‘consent’ can be valid in these circumstances is doubtful at best. Risks can mean the loss of control over personal data and digital identity and for a lifetime. How will age verification measures and consent really address the underlying issues, including loss of autonomy when web content uses our personal data, and identity, in a secret data slave trade behind the screen. The fundamental flaw is that a consent based model is not what web content is built on. How many adults, never mind children, understand how their digital identity is traded and risks involved and how informed and freely given can consent be, when it is usually a reluctant trade-off, for a desired service?
Is it even technically possible to differentiate for the same site used in different countries, or will sites make it easy and default to one standard age requirement?
The GDPR seeks to prevent and rectify these interferences with lawfulness and the legitimate interests of children. But the fact remains that consent and age verification are both problematic.
So the countdown is now on to make this effective.
As Sonia Livingstone reminds us in her extensive work on the GDPR and children’s rights in her post on the LSE media blog about what to expect and its online challenges for children:
“Now the UK, along with other Member States, has until May 2018 to get its house in order”.
What needs to happen?
- Decisions are now needed between the Information Commissioner and government for a future thinking, considered and evidence based approach on law on the age of consent and age verification, with academic, civil society and ICT stakeholders input.
- The definition of “online information services” and the implications of this across access to all Internet sites in the EU needs consideration for users of all ages on sites which may also be aimed at children
- Where obtaining consent the collectors must ensure that it is a clear affirmative act, and is freely given, specific, informed, unambiguous and can be withdrawn at any time
- There is a duty to inform children of their rights as a data subject in clear and plain language, and in a concise, transparent, intelligible and easily accessible form.
- Specific protections are extended to children, in particular regarding marketing and profiling, and data processing when services are offered directly to children and this will mean changes in practice.
- Thorough consideration is needed to participation rights as well as protections in policy and legislation
- Action is required from policy makers and legislators, developers, providers and product suppliers, and in enabling enforcement and in educating the public
31/12/2017: This blog was published in March 2017. The Information Commissioner Office was consulting on consent under GDPR which closed on March 31. In December 2017 the ICO launched a new consultation open until February 28, 2018. See the ICO page to provide feedback>> Children and the GDPR.