Privacy, Data Protection and Cybersecurity Law
Privacy, Data Protection and Cybersecurity Law
Emily Parker
Dr. Andrew Whitfield
University of London
February 15, 2025
Introduction
Implemented in 2020 and coming into effect in 2021, the UK Age Appropriate Design Code (AADC) is a formative policy framework designed to safeguard youngsters using or likely to use online technologies.1 It comes at a time when Internet usage has increased significantly, 5.6 billion worldwide,2 with children (15- to 24-year-olds) making up 19% of this demographic.3 In the UK, 92.6% of children go online daily.4 Even as more youngsters continue to join this space for various purposes, the dangers they face have also surged, with potential privacy violations taking priority in societal and technological conversations.5 The AADC stands to address such concerns, prescribing new and more targeted standards and regulatory obligations on how online service providers (OSPs) tailor and market their services to youngsters and treat children’s data.6 This essay examines what this code is, why it is being implemented, and the extent to which it is safeguarding children’s privacy and ensuring their safety.
1. Thomas D Grace, Christie Abel and Katie Salen, ‘Child-Centered Design in the Digital World: Investigating the Implications of the Age-Appropriate Design Code for Interactive Digital Media’ [2023] Interaction Design and Children.
2. Simon Kemp, ‘Digital around the World’ (DataReportal2024) <https://datareportal.com/global-digital-overview> accessed 9 December 2024.
3. Niccolò Comini , ‘The Internet Celebrates Its 40th Birthday, but Some Users Are Twice Its Age!’ (World Bank Blogs31 August 2023) <https://blogs.worldbank.org/en/digital-development/internet-celebrates-its-40th-birthday-some-users-are-twice-its-age> accessed 9 December 2024.; Ani Petrosyan, ‘Internet Users by Age Worldwide’ (Statista27 June 2024) <https://www.statista.com/statistics/272365/age-distribution-of-internet-users-worldwide/> accessed 9 December 2024.
4. Office for National Statistics (ONS), ‘Internet Users, UK: 2020’ (www.ons.gov.uk6 April 2021) <https://www.ons.gov.uk/businessindustryandtrade/itandinternetindustry/bulletins/internetusers/2020> accessed 9 December 2024.
5. Jasmine Park and Amelia Vance, ‘Youth Privacy and Data Protection 101 – Student Privacy Compass’ (Student Privacy Compass1 April 2021) <https://studentprivacycompass.org/youth-privacy-and-data-protection-101/?form=MG0AV3> accessed 8 December 2024.
6. Market Research Society (MRS), MRS Guidance: ICO Age Appropriate Design Code (2024) <https://www.mrs.org.uk/pdf/MRS%20Guide%20to%20ICO%20Age%20Appropriate%20Design%20Code.pdf?form=MG0AV3>.; Aiste Joksaite, ‘UK’s Age Appropriate Design Code: Increasing Child Online Safety – Ondato’
Discussion
Risks for young people are numerous. They come in various shapes and forms, ranging from well-known concerns like cyberbullying or harassment, encountering predators, and coming across age-inappropriate content to less visible risks such as surveillance normalization and commercial exploitation through targeted profiling and behavioral marketing.7 Research findings have backed these concerns. In 2023, for instance, the Cyberbullying Research Center’s survey of 5,000 US teens aged 13 to 17 found that almost 1 in 4 (23%) (up from 16.7% in 2016) have been bullied online.8 Research shows that students who are bullied online are frequently also bullied in school and may feel unsafe, be violent, get into fights, and even arm themselves by carrying weapons.9 Similarly, in the UK, an estimated 847,000 children aged 10 to 15 years experience online bullying behavior every year, and 1,544,000 experience in-person bullying.10 In addition, almost 1 in 10 UK children report receiving a sexual message, and 19.2% have spoken to or exchanged online messages with someone they have never met before, exposing them to potential sexual predation, including “sextortion” and non-consensual sexting.11
(Ondato24 September 2024)
7. Park and Vance (n 5).
8. Justin W Patchin, ‘Cyberbullying Continues to Rise among Youth in the United States’ (Cyberbullying Research Center4 October 2023) <https://cyberbullying.org/cyberbullying-continues-to-rise-among-youth-in-the-united-states-2023> accessed 9 December 2024.
9. Noah T Kreski and others, ‘Experiences of Online Bullying and Offline Violence-Related Behaviors among a Nationally Representative Sample of US Adolescents, 2011 to 2019’ (2022) 92 Journal of School Health.
10. Office for National Statistics (ONS) Centre for Crime and Justice, ‘Bullying and Online Experiences among Children in England and Wales ’ (www.ons.gov.uk7 March 2024) <https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/ bullyingandonlineexperiencesamongchildreninenglandandwales/yearendingmarch2023> accessed 9 December 2024.
11. Ibid.
Though separating sexting (be it consensual or not) and child pornography is proving to be a challenge, studies such as Strasburger12 have linked sexting in teen-hood to an array of adverse impacts, including poor mental health outcomes, feelings of humiliation, shame, and risky sexual behaviors.
Indeed, beyond online platforms’ addictive nature, a recent 2023 Amnesty International13 global survey found that digital promotion of social comparison, publication, and the amplification of harmful content are having negative impacts on young people’s mental health. Most reported not only feeling anxious but also self-conscious about unrealistic body images popping in their feeds and “over-sexualizing” their body in response. Some also attributed their lack of self-esteem, anxiety and depressive thoughts, and eating disorders to their online usage, with some reporting that they have since sought out unspecified body-positive sites and platforms.14 Despite these risks and concerns, there is also a wealth of opportunities for young people online. Most students access their education virtually and rely on online tools (e.g., social media) to socialize, play, explore their identities, build friendships, and even engage in civic and socio-political forums.15 Online spaces have also proven integral in fostering young people’s creative expression and providing them access to resources related to health and well-being. As such, the desire to protect them from risks should not block access to these opportunities.
12. Victor C Strasburger and others, ‘Teenagers, Sexting, and the Law’ (2019) 143 Pediatrics <https://pediatrics.aappublications.org/content/pediatrics/143/5/e20183183.full.pdf>.
13. Amnesty International, ‘“We Are Totally Exposed”: Young People Share Concerns about Social Media’s Impact on Privacy and Mental Health in Global Survey’ (Amnesty International 7 February 2023) <https://www.amnesty.org/en/latest/news/2023/02/children-young-people-social-media-survey-2/?form=MG0AV3> accessed 9 December 2024.
14. Ibid.
15. Park and Vance (n 5).
The Children’s Code is geared towards this goal, shielding youths from harmful content while ensuring that the online ecosystem is thriving and suitable for them. It was enacted in response to the heightened privacy risks encountered by children online. The code comprises 15 standards that guide the design, operation, and marketing of online services that either target children or those that are conceived for adults but could still be accessed by children. For the purposes of this analysis, the effectiveness of AADC’s 15 standards is evaluated under four broad categories: (1) proper design, (2) information communication, (3) technology interactions, and (4) data management.16
1. Proper Design
Proper design serves as the first line of defense in any technology against the potential violation of young people’s privacy rights. As such, privacy protocols are being integrated into online service design to address the privacy loopholes.17 Children’s rights are spelled out by the UNCRC. For this reason, Article 3(1) of the UNCRC obligates all private and public actors and institutions to prioritize the interests of children in matters concerning their well-being.18 Best interests simply mean that whatever decisions adults make should not negatively affect children. Instead, they should ensure that their decisions not only enable children to fully enjoy their rights but also contribute to the positive development of the child in some way.19
16. Grace (n 1).
17. Information Commissioner’s Office (ICO), ‘Code Standards’ (ico.org.uk19 May 2023) <https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/code-standards/> accessed 9 December 2024.
18. United Nations, ‘Convention on the Rights of the Child’ (OHCHR20 November 1989) <https://www.ohchr.org/en/instruments-mechanisms/instruments/convention-rights-child> accessed 9 December 2024.
19. Sonia Livingstone and others, ‘The Best Interests of the Child in the Digital Environment’ (Digital Futures for Children 2024) <https://www.digital-futures-for-children.net/digitalfutures-assets/digitalfutures-documents/Best-Interests-of-the-Child-FINAL.pdf> accessed 9 December 2024.
In practice, however, these interests are not static but vary with the circumstances surrounding children, hence calling for flexibility. In the digital environment, for example, best interests mean protecting the privacy and data of children to shield them from the harms pervading the online space. For this reason, AADC requires online service providers (OSPs) to design their platforms with the needs and age of children in mind. Based on this, the code can be said to be effective in protecting young people’s online privacy in two ways.
First, it guarantees the production of child-appropriate content for kids by placing greater responsibility on designers and OSPs instead of just the parents. Secondly, by recognizing that different children’s developmental stages come with different degrees of cognitive maturity, AADC requires designers and OSPs to create age-verification tools to ensure access to content that matches their developmental stage. This can be seen in the sign-up process of most online platforms (e.g., Meta, SnapChat, and X). For children, age verification safeguards them from harmful content or unscrupulous online users who can manipulate them into revealing personal information. For example, Google began restricting access to content on eating disorders or idealized body weights based on age in 2023.20 The company extended these age-based restrictions to its generative artificial intelligence (AI) tool to prevent it from producing content related to illegal or unsafe activities such as crime and substance abuse.
20. Steve Wood, ‘Impact of Regulation on Children’s Digital Lives’ (5Rights Foundation 2024) <http://eprints.lse.ac.uk/123522/1/Impact_of_regulation_on_children_DFC_Research_report_May_2024.pdf> accessed 9 December 2024.
While age verification tools are welcome, studies have faulted them for worsening privacy violations. This is because the verification tools may require users to provide personally identifying information (PDI), like their identity or credit card numbers, to verify their age. Without proper data protection mechanisms, the data could be used for nefarious purposes, including online tracking, hacking (e.g., health records and bank accounts), as well as undermining the principle of anonymity on which the Internet is pegged, and worsening structural discrimination (e.g., excluding undocumented communities from the digital space).21 Therefore, age estimation – approximating the age of users when logging in – may be preferable and less risky than verification mechanisms that require personal identification.
2. Information Communication
While pre-emptive child-oriented design is primary in privacy protection, how the online services communicate information to children is also important. Two AADC standards fall in this category: (1) transparency and (2) parental controls. The transparency principle requires that OSPs provide a clear privacy policy, documenting their terms/conditions, age limits, content guidelines, and how they intend to use children’s data.22 The explanations should be given in a format and language that the child can easily understand. Some studies have shown that companies often hide or bury their data use and privacy policies under layers of prompts, discouraging children from making informed choices when presented with data agreement prompts.23 Where such policies are provided upfront, they are usually presented as a mandatory condition for accessing online platforms, apps, or websites.
21. European Digital Rights (EDRi, ‘Online Age Verification and Children’s Rights’ (2023) <https://edri.org/wp-content/uploads/2023/10/Online-age-verification-and-childrens-rights-EDRi-position-paper.pdf> accessed 9 December 2024.
22. Information Commissioner’s Office (ICO) (n 17).
23. Revealing Reality, ‘Children’s Data Lives 2024’ (2024) <https://ico.org.uk/media/about-the-ico/documents/4031562/children-s-data-lives-report.pdf> accessed 9 December 2024.
As a result, children are forced to consent to policies they do not understand. The AADC transparency standard guards against these tactics, hence safeguarding the autonomy and data rights of children. Since 2021, for instance, social media companies have been more forthcoming with information in efforts to boost transparency. Examples include privacy highlights (i.e., age-appropriate privacy policy summaries) by TikTok, in-app education on potential online risks by Snap, and safety notifications via direct messaging if the platform detects any suspicious behavior.24
Parental controls, on the other hand, require that providers inform children about any monitoring/tracking capabilities or parental controls embedded in their services. If the monitoring is done by the service provider, a notification should be sent to the child with an option for them to opt out by turning off their geolocation options. This standard is critical given that children tend to share their location as a means of maintaining social or peer relationships.25 The study further explains how older children are so emotionally invested in their peer relationships and social status that they often override privacy controls when making new friends. In response, Google, for example, introduced a supervised account in 2021 that allows children to use YouTube but with parental controls.26 However, care should be taken to ensure that companies are not shifting their share of responsibility to minimize children’s exposure to parents. For this reason, AADC is a timely solution to ensuring that children are protected from potential online tracking or surveillance by people with harmful intentions.
24. Wood (n 20).
25. Revealing Reality ( 23).
26. Wood (n 20).
3. Technology Interactions
The third category of the AADC standards guides how children interact with online services. Those related to privacy include controlled usage of nudging techniques, default privacy settings, and profiling.27 Nudging techniques harm children by manipulating them into turning off the established privacy protections on their profiles or revealing personal data. AADC prohibits the use of these techniques. In addition, instead of relying on users to set their privacy settings, online service platforms have begun automatically implementing high-privacy settings unless the user chooses to disable or weaken them later. This standard has been particularly helpful in protecting users who rarely read privacy and usage guidelines. A recent study assessed the impact of AADC and other regulations on popular online platforms – Snap, TikTok, Meta, and Google. As per the findings, 63 changes related to default settings were made by the four companies, with most of them occurring in 2021 after the AADC became operational.28 The companies reviewed the default settings for features ranging from privacy to ads and spanning messages. For example, Instagram’s new default settings automatically designate the account of any new user aged below 16 as private. As for the profiling standard, AADC provides that the profiling options should be turned off by default to prevent OSPs from using the children’s data to profile them, such as curating content based on discriminatory attributes like race, nationality, and gender. If profiling is to be done, the child should be informed of the purpose of the act and how potential harm will be prevented.
4. Data Management
27. Information Commissioner’s Office (ICO) (n 17).
28. Wood (n 20).
Data management pertains to the treatment of data belonging to children. As per the AADC, OSPs should disclose what kind of data they will collect and the commercial purposes it will serve. The code also obligates them to divulge how they will process and share the data, especially with third parties. The relevant AADC standards under this category include (1) data minimization, (2) detrimental use, and (3) data sharing.29 These standards require that OSPs collect the minimum possible personal data on children, avoid leveraging this data for uses that can harm children or violate existing regulations, and avoid sharing the data with third parties without compelling reasons that should be communicated to the child prior to using the service. In practice, these standards have compelled online service providers to inform users which kind of data they need for each service instead of just bundling the services together and applying a wider range of personal data requirements. These standards align with the data processing principles outlined in the GDPR, such as lawfulness, legitimate purposes, restriction to only what is necessary, and secure storage.30 These provisions are backed by legislation, making the related AADC standards legally enforceable.
Conclusion
The digital world has undoubtedly brought many benefits with regard to communication and information purposes. However, it has brought many dangers that can harm children’s health and well-being. For this reason, the trend towards privacy protection is picking up with countries implementing relevant laws and codes geared towards children. The AADC covers different dimensions of privacy, including designing online services with built-in privacy tools, privacy policy transparency, adequate and balanced parental controls, and data management principles, among others.
29. Information Commissioner’s Office (ICO) (n 17).
30. Intersoft Consulting, ‘Art. 5 GDPR – Principles Relating to Processing of Personal Data ’ (General Data Protection Regulation (GDPR)2018) <https://gdpr-info.eu/art-5-gdpr/> accessed 9 December 2024.
These standards have shown some progress so far, showing that they can be effective solutions to online privacy issues. Nevertheless, implementing these standards requires child education and awareness, as well as a balanced approach to avoid being overly restrictive and creating more privacy risks.
Bibliography
Amnesty International, ‘“We Are Totally Exposed”: Young People Share Concerns about Social Media’s Impact on Privacy and Mental Health in Global Survey’ (Amnesty International 7 February 2023) <https://www.amnesty.org/en/latest/news/2023/02/children-young-people-social-media-survey-2/?form=MG0AV3> accessed 9 December 2024
Comini N, ‘The Internet Celebrates Its 40th Birthday, but Some Users Are Twice Its Age!’ (World Bank Blogs31 August 2023) <https://blogs.worldbank.org/en/digital-development/internet-celebrates-its-40th-birthday-some-users-are-twice-its-age> accessed 9 December 2024
European Digital Rights (EDRi, ‘Online Age Verification and Children’s Rights’ (2023) <https://edri.org/wp-content/uploads/2023/10/Online-age-verification-and-childrens-rights-EDRi-position-paper.pdf> accessed 9 December 2024
Grace TD, Abel C and Salen K, ‘Child-Centered Design in the Digital World: Investigating the Implications of the Age-Appropriate Design Code for Interactive Digital Media’ [2023] Interaction Design and Children
Information Commissioner’s Office (ICO), ‘Code Standards’ (ico.org.uk19 May 2023) <https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/code-standards/> accessed 9 December 2024
Intersoft Consulting, ‘Art. 5 GDPR – Principles Relating to Processing of Personal Data ’ (General Data Protection Regulation (GDPR)2018) <https://gdpr-info.eu/art-5-gdpr/> accessed 9 December 2024
Joksaite A, ‘UK’s Age Appropriate Design Code: Increasing Child Online Safety – Ondato’ (Ondato24 September 2024) <https://ondato.com/blog/uk-age-appropriate-design-code/> accessed 9 December 2024
Kemp S, ‘Digital around the World’ (DataReportal2024) <https://datareportal.com/global-digital-overview> accessed 9 December 2024
Kreski NT and others, ‘Experiences of Online Bullying and Offline Violence-Related Behaviors among a Nationally Representative Sample of US Adolescents, 2011 to 2019’ (2022) 92 Journal of School Health
Livingstone S and others, ‘The Best Interests of the Child in the Digital Environment’ (Digital Futures for Children 2024) <https://www.digital-futures-for-children.net/digitalfutures-assets/digitalfutures-documents/Best-Interests-of-the-Child-FINAL.pdf> accessed 9 December 2024
Market Research Society (MRS), MRS Guidance: ICO Age Appropriate Design Code (2024) <https://www.mrs.org.uk/pdf/MRS%20Guide%20to%20ICO%20Age%20Appropriate%20Design %20Code.pdf?form=MG0AV3>
Office for National Statistics (ONS), ‘Internet Users, UK: 2020’ (www.ons.gov.uk6 April 2021) <https://www.ons.gov.uk/businessindustryandtrade/itandinternetindustry/bulletins/internetusers/2020> accessed 9 December 2024
Office for National Statistics (ONS) Centre for Crime and Justice, ‘Bullying and Online Experiences among Children in England and Wales ’ (www.ons.gov.uk7 March 2024) <https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/ bullyingandonlineexperiencesamongchildreninenglandandwales/yearendingmarch2023> accessed 9 December 2024
Park J and Vance A, ‘Youth Privacy and Data Protection 101 – Student Privacy Compass’ (Student Privacy Compass1 April 2021) <https://studentprivacycompass.org/youth-privacy-and-data-protection-101/?form=MG0AV3> accessed 8 December 2024
Patchin JW, ‘Cyberbullying Continues to Rise among Youth in the United States’ (Cyberbullying Research Center4 October 2023) <https://cyberbullying.org/cyberbullying-continues-to-rise-among-youth-in-the-united-states-2023> accessed 9 December 2024
Petrosyan A, ‘Internet Users by Age Worldwide’ (Statista27 June 2024) <https://www.statista.com/statistics/272365/age-distribution-of-internet-users-worldwide/> accessed 9 December 2024
Revealing Reality , ‘Children’s Data Lives 2024’ (2024) <https://ico.org.uk/media/about-the-ico/documents/4031562/children-s-data-lives-report.pdf> accessed 9 December 2024
Strasburger VC and others, ‘Teenagers, Sexting, and the Law’ (2019) 143 Pediatrics <https://pediatrics.aappublications.org/content/pediatrics/143/5/e20183183.full.pdf>
United Nations, ‘Convention on the Rights of the Child’ (OHCHR20 November 1989) <https://www.ohchr.org/en/instruments-mechanisms/instruments/convention-rights-child> accessed 9 December 2024
Wood S, ‘Impact of Regulation on Children’s Digital Lives’ (5Rights Foundation 2024) <http://eprints.lse.ac.uk/123522/1/Impact_of_regulation_on_children_DFC_ Research_report_May_2024.pdf> accessed 9 December 2024