The European General Data Protection Regulation (GDPR), due to become law in May 2018, contains several provisions highly relevant to children and young people. Vicki Shotbolt, CEO of Parent Zone, argues here that we need to consider the challenges posed to parents by proposals to require parental consent for children under 16 to use online services.
Throughout this blog series, we have been decoding the implications of the GDPR for children, noting that a range of provisions within the GDPR are of particular importance to their rights to participation and protection, to the balance between parental responsibility versus teen autonomy, and to the challenging media literacy task set for both parents and children by the opaque, ‘black-boxed’ algorithmic operation of the internet industry.
The GDPR could mark a very significant turning point in young people’s access to the Internet. Unless member states specifically legislate to adopt a different age, the default will be that children under the age of 16 will require parental consent to use online services that collect their data. To be clear, this doesn’t mean that children will be deprived of online services as some groups have implied. Rather that young people would no longer be able to sign up for services without the consent of a parent. The ‘services that collect data’ is a crucial point because clearly, all of those services that are ‘open access’ do not require a child to create an account in order to use them. So does this represent a breach of children’s rights, as enshrined in the UN convention on the rights of the child and the EU’s commitment to promote them, or is it a sensible step that will give parents rights alongside the responsibility they already accept for keeping children safe online? At Parent Zone we think the answer is both and neither. The only certainty is that the decision has been made without regard for what young people or parents think, and that is seldom a good idea.
As a parenting organisation, we believe that parents are the experts about their own children and we think they do an incredible job, arguably the most complex and challenging job anyone ever does. We understand that the quality of at-home parenting is fundamental to achieving good outcomes for children.
One of the most straightforward ways to make it easier for parents to do a good enough job of parenting is not to make it any harder. There are many examples of initiatives to help parents do a good enough job of parenting, from improving early years’ support to child resistant packaging. None of these attempts to ensure that parents are able to parent well and children are afforded age appropriate protections take away from the fact that parents remain responsible for their child’s safety and wellbeing. Far from it, they are designed to help parents by providing them with the tools and support they need, and by taking away some of the things that put children at risk – such as bleach bottles that look like cordial bottles.
Some of the initiatives appear to restrict children’s rights by going further than seems sensible. A child’s right to play is not easily reconciled with local restrictions on ball games in parks – and it’s hard to feel that taking away every child’s right to buy a can of spray paint is proportionate to the harm done by graffiti – even though that was one of the reasons given for introducing the ban.
In a digital age, the goalposts appear to have changed. Parents need to parent online as well as offline, but they are faced with a multitude of challenges. Perhaps the most fundamental is the fact that their children are free to sign up for services at any age without parental consent. This includes services that say they are for thirteen year-olds and above, because as any internet user knows, those services make no attempt to verify a child’s age.
Whilst a parent can inform a service that their child is too young to use it, far too many sites make it extremely difficult to find out how to do so. It’s typically extremely difficult to find that information even on some of the largest and most popular sites with children. One of the consequences of this parental disempowerment is that many parents treat age ratings as though they were little more than a guide. If services don’t enforce them why should parents? In fact, some parents actively choose to help their children create accounts before they are old enough because they feel unable to swim against the overwhelming force of numbers.
If every child in a school is on a platform it is difficult to be the one parent who says no. It’s also potentially risky because, as we know, children look for ways around rules and by saying no, you risk your child doing it anyway and you not being involved. This in turn gives large companies the opportunity to say that they are unable to enforce their policies because parents choose to ignore them. A curious notion, and one that wouldn’t cut much ice with a shop that sold cigarettes to a minor because their mum said it was OK.
Will the GDPR resolve these problems or make them worse?
Policy makers are increasingly interested in the concept of digital resilience. Evidence suggests that attempts to restrict children’s access to the internet is not the best way to help them become resilient. In fact, allowing young people to explore online spaces with the support and understanding of the adults around them appears to be a far more effective way to equip them with the skills they need to do so safely. By requiring parental consent, the risk is that we encourage more children to lie about their age and to hide their illicit online activity.
But perhaps the reality will be different. Perhaps by giving parents a full and proper role in guiding their children and by forcing services to recognise that the internet is a space that needs to include appropriate safeguards for children, we will see a healthier, family-friendly ecosystem. At the very least it would mean that when a parent is concerned about the safety of their child on any given service they will be able to intervene and not be told that the service can only communicate with the user – their child.
This post gives the views of the author and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.
I’m very intrigued to know if you have any idea about how exactly parental consent would be technically implemented. GDPR says we need to make “reasonable effort to verify the identity of the parent” but I can’t see how that can be possible online without the child pretending to be their own parents and giving themselves consent?
Do we do something crazy like ask for credit card information to validate that the person filling out a form is an adult? But that means all sites need to suddenly capture even more crazily sensitive information.
I am worried that the added bureaucracy will just mean lots of sites just ban people under 16 and things are less safe for children as a result of it as websites that have banned under 16 year olds won’t be able to make special provisions in moderation for people under 16.