UK wants to force internet companies to think of the children
A UK regulator has drafted 16 things internet companies need to do to help protect children online or else.
April 15, 2019
A UK regulator has drafted 16 things internet companies need to do to help protect children online or else.
To be precise it has launched a consultation of a document called ‘Age appropriate design: a code of practice for online services’, but there is little precedent for these consultations resulting in anything other than plan A being fully implemented. It lays down a bunch of rules that anyone providing online services that could be accessed by children – i.e. nearly all of them – need to do.
“This is the connected generation,” explained Information Commissioner Elizabeth Denham. “The internet and all its wonders are hardwired into their everyday lives. We shouldn’t have to prevent our children from being able to use it, but we must demand that they are protected when they do. This code does that.
“The ICO’s Code of Practice is a significant step, but it’s just part of the solution to online harms. We see our work as complementary to the current focus on online harms and look forward to participating in discussions regarding the Government’s white paper.”
There are many conceits and Orwellian aspirations implied in those two short statements, not least the inference that the government could prevent children from being able to access the internet if it wanted to. But then nobody’s in favour of harm are they, so surely this is all for the best. Here’s a summary of the 16 commandments.
Best interests of the child
Protect them from any conceivable harm but you’re still allowed to make money so long as you do that.
Age-appropriate application
If you can stop kids accessing your stuff then don’t worry about all these rules.
Transparency
Provide clear privacy information, including ‘bite sized’ explanations at the point at which use of personal data is activated that kids can understand.
Detrimental use of data
Don’t use kids’ data in a way that might be detrimental to them.
Policies and community standards
Implement your own policies.
Default settings
Privacy settings must be ‘high’ by default be difficult to change. Reset existing user settings accordingly.
Data minimisation
Only collect the minimum amount of data you need to provide your service.
Data sharing
Don’t share kids’ personal data unless you’ve got a really good reason to do so.
Geolocation
Switch it off by default unless you’ve got a really good reason not to and even than make it clear that it’s on.
Parental controls
Let kids know when their parents are keeping an eye on them.
Profiling
Turn it off by default unless you’ve got a really good reason not to and even then think of the children.
Nudge techniques
Don’t try to persuade kids to lower their privacy protections and don’t use things like reward loops to keep kids engaged. This could even include ‘likes’.
Connected toys and devices
All this applies to them too.
Online tools
Give kids tools to protect themselves online and make them prominent.
Data protection impact assessments
A bureaucratic process to demonstrate you’ve complied with these rules.
Governance and accountability
More bureaucracy to show you’ve done what you’re told.
“If you don’t comply with the code, you are likely to find it difficult to demonstrate that your processing is fair and complies with the GDPR and PECR,” warns the consultation document. “If you process a child’s personal data in breach of this code and the GDPR or PECR, we can take action against you.
“Tools at our disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, we have the power to issue fines of up to €20 million or 4% of your annual worldwide turnover, whichever is higher.”
Some of the above points, such as 3, 5 and 14 seem perfectly sensible, but taken all together this initiative seems designed to massively increase the bureaucratic burden on nearly all internet companies. As ever the largest ones can just call on their compliance departments to mitigate the restrictions and keep the companies out of trouble. Small ones, however, may have to just impose age restrictions.
In that respect this seems like an extension of UK porn block law, which Wired does a good job of picking holes in below. At the very least this sort of thing is great news for VPN providers. The announcement coincides with the European Copyright Directive clearing its final hurdle, so before long everyone will be able to access the internet secure in the knowledge that nothing bad will ever happen to them.
About the Author
You May Also Like