The 2016 European General Data Protection Regulation (GDPR) will require parental consent for children under 16 who use digital services such as social media. In this post, Sonia Livingstone, Professor of Social Psychology at LSE’s Department of Media and Communications, discusses the potential challenges that result from this policy change.
Throughout this blog series, we have been decoding the implications of the GDPR for children, noting that a range of provisions within the GDPR are of particular importance to their rights to participation and protection, to the balance between parental responsibility versus teen autonomy, and to the challenging media literacy task set for both parents and children by the opaque, ‘black-boxed’ algorithmic operation of the internet industry. We also looked at available evidence that can be used to unpack GDPR’s implications for children online, and discussed the GDPR from both a parents’ and a youth perspective.
Article 8 of the 2016 European General Data Protection Regulation (GDPR) requires verified parental consent for under 16s (or 13s, if member states so determine) to use ‘information society services’. This raises the concern that companies will not bother (i.e. they’ll simply require users to self-declare that they meet the age requirement), leaving children and younger teens unprotected online, and also the concern that parents won’t bother or won’t understand, leaving teens unable to access online services.
Then there’s the question of whether the UK should keep the age requirement for consent at 16 years old (on the assumption that younger teens lack the media literacy to understand the privacy and personal data threats that exist in the commercial online environment) or reduce it to 13 (on the view that teens – indeed all children – have the right to communicate online, as per Articles 13 and 17 of the UNCRC, and should not be excluded from so important an environment as the internet).
It is always hazardous to second guess the consequences – especially the unintended consequences – of policy change, even though this is precisely what policy must do, and precisely why evidence is needed. There are certainly too many uncertainties associated with the GDPR at present to anticipate the likely benefits or costs for children. But it could be helpful to consider Figure 1 from Ofcom’s 2016 data on whether UK children have a social media profile (bearing in mind that, most likely, these profiles are on services whose terms and conditions require users to be 13+).
According to Figure 1, we can see that:
- Around one fifth of 9-10 year olds and up to half of 11-12 year olds have a profile, despite being ‘under-age’. So clearly the current age verification technique (namely, self-declaration of age) is ineffective. Will anything be different under the GDPR – i.e. will the data authority require the data controller to take further steps to authenticate the age declared on registration? Or will there simply be an increase in those who declare a false age and so get treated like adults online despite meriting special provisions as children?
- By the age of 15, nine in ten children have a social media profile. If the UK decides to keep the GDPR’s age of parental consent of 16 (which could be reasonable, given many teens’ confusions about the online commercial world), will social media sites seek verified parental consent for all of those aged 13-15 by May 2018 (and by what means)? Or will it not bother, and summarily delete all their profiles so as to comply with Article 8 (and save the money and effort of creating special provisions for children)?
Then consider the three points in the curve where there’s a sudden jump in users – around age 9, 11 and around age 13. I will comment on these in reverse order.
- The jump from 50% with a profile at 12 years old to 74% at 13 suggests that a fair proportion of teenagers (and their parents) are keen to comply with the terms and conditions set by social media companies – these children seemingly have waited until they are old enough to use the service. But whether they would wait till they are 16, if the rules change, is hard to guess.
- The jump from 21% at 10 years olds to 43% at 11 is also interesting. As any Brit knows, this marks the transition from primary to secondary school – from a small neighbourhood school where friendship groups are well established to a large school, often some distance from home, where new friendships must be formed quickly if one is not to be lonely or lost. This is the age where we see the greatest need for the connections offered by social media. If social media are no longer to fulfil this genuine need, society will need to think again about the transition to secondary school (and perhaps it should anyway).
- The jump from 9% with a profile at 8 years old to 21% at 9 is likely to reflect the acquisition of personal devices, with parents beginning to give children mobile and smart phones from around 8 years old – though the biggest peak is around 10 or 11 as parents equip children for their growing independence as they approach the transition to secondary school. It is likely that parents have in mind giving their child the means to stay in touch with parents, for safety reasons, though they are also giving their child the means to communicate with friends and, importantly, they are giving the commercial world the opportunity to access their children.
It’s worth remembering that the GDPR does not stop social media or other internet services providing opportunities for children of any age. Rather, it sets conditions by which they can do so, and these carry a cost that, until now, companies have largely declined to bear. It is ironic that those enthusiastic pioneers in the digital world – the young – are precisely those whose interests the industry fails to serve unless it can profit from them.
This post gives the views of the author and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.