How Britain’s new child privacy protections will impact the internet

A massive crackdown on how tech and social media companies use children’s data is underway in the UK.

Over the next 12 months, everyone from YouTube to Spotify will legally have to conform to a set of 15 “standards” laid out in the catchily-named guide, “Age appropriate design: a code of practice for online services,” released on Wednesday by the UK’s Information Commissioner’s Office.

If they don’t make the necessary changes – which are aimed at anyone under the age of 18 – the companies risk regulatory action.

“The code is a set of 15 flexible standards — they do not ban or specifically prescribe — that provides built-in protection to allow children to explore, learn and play online by ensuring that the best interests of the child are the primary consideration when designing and developing online services,” Information Commissioner Elizabeth Denham said in a statement.

But what exactly are the standards set out in this code, and how will they affect the sites we use?

Privacy settings must be set to ‘high’ by default

This is a big one. Unless companies have a “compelling reason” (a slightly wish-washy phrase that crops up regularly in the guidelines) not to, the new code requires them to make sure their default settings are as water-tight as possible when it comes to data.

“This means that children’s personal data is only visible or accessible to other users of the service if the child amends their settings to allow this,” reads the code’s description of what “high privacy” settings means.

“This also means that unless the setting is changed, your own use of the children’s personal data is limited to use that is essential to the provision of the service. Any optional uses of personal data, including any uses designed to personalise the service have to be individually selected and activated by the child.”

“Similarly any settings which allow third parties to use personal data have to be activated by the child.”

The code also states that companies must minimise the personal data they collect and retain, that they can’t disclose children’s data without — you guessed it — a “compelling reason”, and that they shouldn’t use sneaky website design tricks to try and encourage users to hand over unnecessary data (no more huge green buttons begging users to click the YES option, in other words).

Children must also be made aware if they’re being tracked or monitored by a parent, and privacy information must be presented to them “in clear language suited to the age of the child.”

Location tracking

Unsurprisingly, the code isn’t too keen on location tracking in general. Point 10 of the guidelines requires companies to “switch geolocation options off by default” unless they can provide a “compelling reason” not to, as well as making it clear to children when their location is being tracked.

“You should make sure that any option which makes the child’s location visible to others is subject to a privacy setting which reverts to ‘off’ after each session,” the code states. “The exception to this is if you can demonstrate that you have a compelling reason to do otherwise taking into account the best interests of the child.”

An example of a platform that might be affected by this is Snapchat, and its in-app map that gleefully encourages you to “Share your location with select friends!” At present, if your location is visible, it’ll stay visible until you turn on “Ghost Mode” to hide where you are. 

Under the new code, though, this clearly wouldn’t be acceptable — Ghost Mode would presumably have to be reinstated whenever the app was closed. That’s of course unless Snapchat could present a “compelling reason” to avoid this.

These changes will affect everyone

Obviously, the standards laid out in the ICO’s code aim to protect children. But the reality is, they’re likely to affect everyone using the internet in the UK.

For instance, the code states that companies will have to make changes for all their users if they’re unable to “establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from [their] data processing.”

So the obvious question is, how do you establish age?

Well, the code has a big section on this, which advises methods ranging from self-declaration (the old school, very-easy-to-dodge way) or third party verification to the use of AI to make an age estimate — but some people are clearly still concerned about the impact this might have on our day-to-day internet use.

“The ICO has made some useful changes to their code, which make it clear that age verification is not the only method to determine age,” Jim Killock, the executive director of the Open Rights Group, said in a statement sent to Mashable.

“However, the ICO don’t know how their code will change adults’ access to content in practice.”

Killock goes on highlight the need for an impact assessment, which could be used to gauge how our daily internet use may be impacted by these new standards.

“Age Verification demands could become a barrier to adults reaching legal content, including news, opinion and social media,” he said. “This would severely impact free expression.

“The public and Parliament deserve a thorough discussion of the implications, rather than sneaking in a change via parliamentary rubber stamping with potentially huge implications for the way we access internet content.”

It’s worth noting that the last time the UK government dabbled in age verification — back when they were attempting to block children’s access to porn sites —their plans were eventually ditched after years of delays and a big push back from privacy campaigners.

Obviously that was a very different situation — in the case of the ICO’s new code, for instance, age verification won’t necessarily be required.

But lots of questions still remain. 

We don’t yet know, for instance, whether people outside the UK will be impacted (this will likely depend on whether companies decide to roll out any changes they make globally or not); we don’t know how strict the ICO is going to be when it comes to enforcing the code (the repeated use of ambiguous phrases like “compelling reasons” suggests there’ll be some wiggle room); and finally, in an environment where self-declaration can be skirted and verification leads to privacy concerns, we don’t know how the issue of age will be handled by companies.

Chances are, until they begin taking steps to comply with the new code, and we see what it looks like in practice, these questions will sit in wait.