The Office of the Children’s Commissioner for England has just published a new report looking at how vast amounts of children’s data is collected, and calling on internet giants and other companies to be transparent about how they are capturing information about children and how it is being used. Sonia Livingstone, LSE Professor of Social Psychology, Mariya Stoilova, researcher on children’s data and privacy online at the LSE, and Rishita Nandagiri, PhD Candidate at the LSE’s Department of Social Policy, explain the findings of their research and how this relates to the new report.

The UK’s Data Protection Act 2018 contains a distinctive paragraph for those concerned with children’s rights (which should be everyone, since children are the canaries in the coal mine for threats to all). Fought for by Baroness Kidron of 5Rights, and addressed to the Information Commissioner, it states:

123 Age-appropriate design code

“(1) The Commissioner must prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children….

“(4) In preparing a code or amendments under this section, the Commissioner must have regard—

(a) to the fact that children have different needs at different ages, and

(b) to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child.”

This is designed to resolve some of the problems with current regulations regarding children’s data protection in the digital environment, without unduly restricting their right to participate. The regulatory solution is that the balance between participation and protection rights should take account of children’s evolving capacity (article 5 of the Convention).

But, what does this mean in the digital environment?

To figure this out, the Information Commissioner’s Office (ICO) called for evidence-based proposals for online service providers in the UK, in its recent public consultation. To stimulate responses, we recently held a seminar at LSE which examined how we can practically build an environment that pays due regard to children’s rights and well-being, and we joined a consultation held by the Children’s Commissioner which resulted in their latest report on data collected about children.

In our project, Children’s Data and Privacy Online, we conceptualise a framework that distinguishes children’s understanding of different types of data and different types of privacy (according to the context – interpersonal, institutional or commercial). In our response to the Information Commissioner’s consultation, we examined children’s understandings according to their evolving capacity. First we conducted a systematic mapping of the available evidence – this involved a comprehensive search of 19 databases (yielding 9,119 search results) and an expert consultation (adding further 270 results). We then we classified this by the age of the children in each study.

Before noting our findings, we emphasise that research shows that children have different capacities to understand privacy and different needs which cannot be explained entirely by age. This means it is not easy to produce age groupings supported by evidence (as the ICO hopes for), because children do not fall neatly into groupings according to age. Indeed, any age group includes children with very different needs and understandings.

Even for a single child, there is no magic age at which a new level of understanding is reached. The academic community has, by and large, moved beyond those early developmental psychology theories which proposed strict “ages and stages”. But nor does it consider children to be similar at the age of five and fifteen, for instance. Rather, developmental psychology, like clinical psychology and, indeed, the UN Convention on the Rights of the Child, urges that children are treated as individuals, taking into account their specific needs, understandings and circumstances. Their parents broadly agree.

What did we find?

Overwhelmingly, the evidence documents children’s struggles with understanding the multiple dimensions of privacy online – indeed, of the digital environment itself. Many studies reveal that children’s digital and data literacy is patchy, along with the consequences this has for their practices in sharing or protecting their personal data in the digital environment. This is not necessarily for want of interest or ability. Rather, the evidence is clear that children cannot – and cannot be expected to –sufficiently understand many of the ways in which their data is used, or for what exactly their consent is formally required by an online provider. This is for multiple reasons:

  • The complexity of the digital interface presented to a child, usually written in complex language and with little attention to privacy-by-design or rights-by-design.
  • No real choice is attached to a decision about providing personal data or choosing how one’s data are used – if there is no choice but the “take it or leave it” choice to provide data to use a service or not to access the service, children will generally not find the “choice” offered meaningful or worthy of consideration.
  • Uses of personal data concern not only the intent and actions of the online provider but also the digital ecosystem that lies behind them – of data brokers, profiling companies, algorithms combining and calculating across data sets, to service the businesses of many players beyond that initially collecting data from a child: and the UK does not teach its children about this commercial (and state) ecosystem and thus cannot reasonably expect children of any age to understand it.
  • Children learn about the online environment via trial and error, thinking about the consequences of their actions retrospectively and expecting to be able to retract any online activities and avoid future negative consequences. They see their learning errors as inconsequential, giving little thought to how these might transfer across contexts or persist across time, seeing them as of little or no interest to any external parties.

Boiling the research down to its essence, we attempted to map the development of children’s understanding of privacy by age, with the caveat that the differences within as well as across age groups can be substantial:

 

Bearing in mind the available evidence, and in addition to our specific responses to the Information Commissioner’s Office regarding default privacy settings, data minimisation standards, the presentation and language of terms and conditions and privacy notices, uses of geolocation technology, automated and semi-automated profiling, and so forth, we recommended that:

  • Child-rights-respecting policies for the digital environment are needed to balance protection and autonomy, and prevent discrimination and long-term consequences.
  • Sustained media (data, digital, critical) literacy education from an early age is vital, but not a “silver bullet”.
  • Support children by supporting parents, teachers, and welfare bodies to be able to address “best interests” and vulnerabilities.
  • Privacy-by-design, mechanisms for redress, enforcement, evaluation are all important and should be informed by strong evidence base and children’s voices.

Our consultation response, which includes summaries of 64 of the most relevant empirical studies – itself a wealth of information – is now in the public domain and may answer any further questions you may have.

This article gives the views of the authors and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.