ICO Children’s Data Rules Meet With Divided Response

Why Collect Data?

Upcoming regulations hailed as a pioneering step to protect children’s data online, but some fear they could favour big tech companies

Proposed regulations aimed at protecting children’s data online have been met with a mixed response, with some concerned it could disrupt online services or increase the monopoly power of large tech firms.

The Information Commissioner’s Office’s (ICO) last week introduced the Age Appropriate Design Code, a set of 15 standards intended to protect the way children’s data is collected and used online.

It is intended to provide children with an increased level of data protection by default, with privacy settings automatically set to a high level, and restrictions on features such as location services and tailored advertising.

“Personal data often drives the content that our children are exposed to – what they like, what they search for, when they log on and off, and even how they are feeling,” said information commissioner Elizabeth Denham.

data encryption
Privacy

“In an age when children learn how to use an iPad before they ride a bike, it is right that organisations designing and developing online services do so with the best interests of children in mind. Children’s privacy must not be traded in the chase for profit.”

The ICO is to be given enforcement powers under the GDPR to back up the rules, including fines of up to £17 million or 4 percent of global turnover.

The rules are said to be the first of their kind in the world, although similar schemes are under consideration in Europe and the US.

The standards were introduced in the Data Protection Act of 2018 and the code was submitted to the government in November.

It is now set to move through a statutory process, first being submitted to the European Commission for review under the UK’s ongoing obligations as a member of the EU.

After a three-month standstill period, it is to be laid before Parliament and, if approved, organisations are to be given a 12-month transition period to update their practice and services, with the code’s provisions expected to come into force late next year.

Age-gating

While privacy advocates have welcomed the changes, some are concerned they could be overly broad, forcing large sections of the internet to impose “age-gating” mechanisms.

Industry group TechUK, which represents Google, Amazon, Facebook and others, commented that the rules could lead to unnecessary age-gating.

Some start-ups, meanwhile, are concerned the changes could favour large tech firms, which would be more easily able to absorbe the costs of compliance.

The regulation takes an overly “broad-brush” approach that could harm smaller firms, an unnamed person close to the start-up industry told the Financial Times.

But the ICO said new rules are necessary to adapt to the digital age.

“One in five internet users in the UK is a child, but they are using an internet that was not designed for them,” said information commissioner Denham.

“There are laws to protect children in the real world – film ratings, car seats, age restrictions on drinking and smoking. We need our laws to protect children in the digital world too.”