Open Rights Group turned fourteen years old this year. That’s old enough to have been recruited by Facebook to sell our private phone and web activity for their commercial profit,1 to have been sucked into dark advertising webs on YouTube,2 to have seen unwanted sexually explicit images or been sent unsolicited sexual messages via social messaging services,3 and to have been put at risk of future identity fraud by our own parents through their over-sharing of school photos, birthday party invitations, personal achievements and cherished family moments.4

Today’s connected world presents both incredible new opportunities and troubling new threats for children and young people in the UK. The Internet and digital tools can valuably enrich learning, play and social environments, but not all of the online world is child-friendly and not all children adapt and thrive amid the rapid pace of technological development.

The challenge for researchers, regulators, technologists and activists is to navigate through these tensions and build a digital society in which children can benefit from the many wonders of the Internet, be protected from its dangers and have their fundamental rights, including rights specifically afforded to them due to their status as children, fully respected and upheld. Indeed, without privacy and freedom of expression, children cannot have a full and rich online experience. The ultimate aim of legal and policy frameworks, both in the UK and worldwide, should be to prepare children gradually for adulthood as effective participants online with agency and confidence in their rights.

This is no easy task. And achieving it is made all the more challenging by the data-driven business model on which online platforms base their commercial operations.5 In terms of advertising revenue, children’s spending power is arguably even more valuable than adults’,6 and children’s developmental vulnerabilities make them easy prey for corporations and advertisers seeking to capture their attention.7 Online platforms are desperate to amass children’s data, but systems that actively court child users whilst failing to respect their rights are exploitative. Fighting the model is an essential, though potentially daunting, criteria for change.

Responsible actors in the adult world have focused extensively on improving online privacy and data protection in recent years. The EU’s General Data Protection Regulation (GDPR) took a seminal step towards curbing the ability of information-hungry platforms to choose, abuse and lose consumers’ sensitive personal data. The e-Privacy Regulation, if it ever manages to get out of the starting blocks, offers a similarly powerful opportunity to extend individual protections to private e-communications and messaging. Yet although these pieces of legislation and others apply equally to children, their remit is often forgotten, or not wielded, when it comes to under-18s.

Children make up the majority of online users. They interact with almost all the same online services as adults, use the Internet for hours every day (it being embedded into everyday school life and social interaction) and leave trails of data around the web that are almost as messy as an average teenager’s bedroom.8 And yet this numerically and qualitatively significant group largely tend, in UK policymaking, to be subject to a demoting narrative that defines them as passive in the online space, needing ‘protection from’ rather than ‘rights to’.9

Children are the source of much creativity and innovation. Their energy, ideas and capacity for challenging the status quo is everything that the Internet was founded on. They deserve to be equal participants in the vibrant society that digital technology affords, and to have their equally fundamental rights to privacy and data protection respected and upheld. Indeed, protecting children’s rights online can have a knock-on positive impact on adults’ online experience and engagement.

The Age Appropriate Design Code (under development by the ICO at the time of writing) presents a fresh and unique approach to upholding children’s rights online. In contrast to DCMS’s nebulously-constructed ‘duty of care’, it is positively steeped in the established language of international law and focuses on maximising both rights protection and agency for under-18 Internet users. This is critical. At Open Rights Group, we strongly support ambitions to create stronger default privacy settings and we work towards better provision of information to both child and adult Internet users about terms and conditions and privacy notices. We want to empower an online system that creates a realistic digital life for under-18s, not one that replaces it with the online experience of an adult. We encourage digital- and rights-based capacity-building for under-18s, so that children can become effective participants online and can increasingly understand and exercise their rights as they move into adulthood.

This graduated approach is especially important when considering the additional vulnerabilities and needs of children with special educational needs, disabilities and mental health issues, who may have impaired capacity to understand, consent and activate their rights. It might be argued that all children, and especially those with complex personal circumstances, should be able to depend on parents or other adults under whose care they reside to take good decisions about their access to online services, to set fair and sensible web use limits and to object from an informed “grown-up” perspective to negative or nefarious data processing. But developing digital structures appropriate for children requires more than simple reliance on parental ability.

Systems that rely on parents controlling and consenting to their children’s online experience assume that all adults have a good grasp of privacy notices, that they are sensitive to the development needs of their children and can realistically assess the risks of their use of online services. Arguably, adult caregivers fail on all three of these areas continuously. Research has shown that adults do not understand how children use online services,10 can overreact to misunderstood context11 and are at risk of ‘consent fatigue’,12 leading to clicking without thinking. Adults might also agree to data processing where children might object, since appreciations of privacy can differ drastically between parents and their children.13

If parents cannot be relied on, then who can? At Open Rights Group, we strongly encourage the Government to implement Article 80(2) GDPR into UK law: this would enable children, who are inherently less able to identify their rights, to have expert third parties represent them in areas of data protection that they are unlikely to be able to access by other means. To protect children’s rights and wellbeing online, it’s vital to hold data-using actors to account. 

But even if fines are issued and data is deleted, even if useful progress – such as better information provision and consultation with children on the wording of terms and conditions and privacy notices – is achieved, this will mean very little unless there is proper, UK-wide investment in children’s ability to be competent, confident online actors. This requires embedded national curriculum learning, starting from an early age and continuing throughout school years. 

The problems for children engaging with privacy and data protection online begin not at opaque wording in privacy policies, but at the very existence of privacy policies. Research shows that younger people appear unaware of what privacy policies are or where to find them. With a challenge such as this, it does not matter how much work is put into a privacy policy to make it clear for multiple reading ages if a child does not know where to find a privacy policy, or even know that they should expect to see one on a service they visit. These are the sorts of issues that only education can address.

Children themselves are requesting more education on digital issues: consultations have repeatedly found teenagers, tweens and even the youngest of ages wanting to learn more about how the Internet and companies on the Internet work.14 This wish should not be set aside. Placing greater burdens on data controllers to operate with regard to children is a laudable outcome. Investing in educating children to gain a better understanding than their parents about the Internet, the Internet economy, and their rights online has the potential to change society.