GDPR and the Digital Age of Consent for Online Services

February 3, 2016

If Alice fell down the rabbit hole in 2015, it wouldn’t take an Oxford don to document her adventures. #Wonderland would be trending on Facebook and Twitter and Alice’s Instagram would be full of selfies with the March Hare and the Cheshire Cat.

Children today are as technologically literate as any grown-up, often being able to navigate YouTube before they learn to read. But the GDPR might prove to be a stumbling block for digital users under 16.

Background

In December the Commission announced that the final text of the GDPR had been agreed with the European Parliament and Council, but not before a last minute change to the so-called ‘digital age of consent’.

Earlier drafts indicated that the Commission would adopt 13 as the EU-wide threshold at which parental consent is required for the use of information society services (such as websites and other online services), but the compromise draft agreed between the institutions raises the threshold to 16, though individual Member States may reduce this to 13. This is likely to mean that information society providers will need to deal with different minimum age thresholds in different Member States.

Will Anything Change in the UK?

When collecting personal data it is important that the data subject properly understands how the data that is provided will be used. That can be difficult when collecting data from children.

The Data Protection Act 1998 does not specify the age at which children are legally able to give consent to processing of their personal data. Current guidance from the Information Commissioner’s Office recommends that consent should be sought from a parent or guardian prior to collecting information from children up to the age of 12, but notes that there may be cases where it is necessary to obtain parental consent from children older than 12:

Assessing understanding, rather than merely determining age, is the key to ensuring that personal data about children is collected and used fairly. Some form of parental consent would normally be required before collecting personal data from children under 12. You will need to look at the appropriate form for obtaining consent based on any risk posed to the child. You may even decide to obtain parental consent for children aged over 12 where there is greater risk. This has to be determined on a case by case basis.[1]

This will change when the GDPR comes into effect in 2018. Even if the UK government legislates to apply the lowest permitted age threshold in the UK, there would still be a change from the current approach, together with the introduction of more prescriptive requirements in relation to the steps that data controllers must take to ensure they have appropriate consent.

How Will the Threshold be Enforced?

Social media platforms and other website operators will need to think about how they obtain parental consent in respect of any child aged under the relevant threshold who seeks to access their digital content.

Article 8(1a) of the GDPR requires data controllers to “make all reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility.” In determining what is reasonable, the data controller is required to take into consideration “available technology”. No further guidance is provided on this in the GDPR itself, and this uncertainty was one of the issues raised at the Information Commissioner’s GDPR stakeholder workshop in London on 26 January.

Possible solutions to this problem may already exist on websites restricted to over-18s.

In the alcoholic drinks industry, for example, the Portman Group (established by a number of the UK’s major alcohol producers to promote responsible drinking) strongly encourages its members to use an age affirmation page (AAP). This is a website landing page which requires visitors to confirm they are of a certain age before they can enter the website. The Portman Group recognises that this may simply encourage children to lie about their age and recommends a number of steps to ensure that the AAP is as effective as possible. Firstly, the AAP should require visitors to actively input their date of birth rather than simply clicking through default options. In addition, the AAP should carry a Nanny Tag. This is a hidden label consisting of metadata that describes the site’s content in a format that software like NetNanny can understand. Parents can use this software to control the web browsing activity of their children.

Similarly, the Gambling Commission stipulates that gambling websites must put in place procedures requiring customers to affirm that they are over 18. They also recommend carrying out credit checks against customers who don’t pay by credit card. Underage users can still abuse this system by using an adult’s credit card, but may only get away with it until the next bill arrives (unless they’ve had a particularly good run!).

Relying on credit card providers to check a person’s identity or carrying out your own credit check is a more robust practice than simply relying on the user’s word, but it is unlikely to be a viable option for websites and services where money is not changing hands. In addition, it would leave under 18s, who cannot apply for credit cards but are above the relevant age threshold, in limbo.

Software like NetNanny may provide a more effective way to stop children accessing online content without parental consent, but use of such software is outside the control of the website operator as it has to be installed by the user. It is therefore likely to fail the requirement to take reasonable efforts. The use of device software such as NetNanny may also cause issues for websites and services aimed at children under the relevant age where parental consent has been obtained.

An alternative approach may be to use some form of trusted third-party authentication but that will be dependent upon the authentication provider itself adopting sufficiently robust checks. For example, many websites allow users to log-in using a Facebook account, but it is relatively easy for a child to create a Facebook account despite being under 13 (the minimum permitted age set out in Facebook’s terms and conditions).

Finally, it’s also unclear whether any form of materiality test will apply. For example, if information is only being collected using cookies will parental consent be required? Or is it only where a particular level/type of information is being collected? Given the multitude of devices and browsers that people use to access information society services, technically managing the consent process will be particularly difficult if the user can access the service without creating a user account.

Guidance from the national data protection authorities is needed to clarify these issues.

How Does the Threshold Work with Traditional Contractual Capacity?

Apart from being difficult to enforce on a practical level, the proposed threshold is also at odds with the existing legal framework in the UK on the capacity of young people to enter into contracts.

In England and Wales, a child does not generally acquire full legal capacity until the age of 18. However, minors can and do enter into contracts before reaching full age. Like the ICO’s approach to processing of personal data, the English courts take the view that the validity of such contracts will depend on the child’s understanding of the transaction.

In the Court of Appeal judgment in R v Oldham Metropolitan BC, ex parte Garlick [1993] AC 509, for example, Scott LJ commented that, whilst a child well under the age of 10 could purchase sweets, a 4-year-old could not contract for the occupation of residential property. Clearly this is an extreme example, but the point is that children acquire contractual capacity on a gradual basis as their understanding of the world develops. Drawing a line in the sand for all circumstances is impractical and unworkable.

It is therefore likely that a minor could legally consent to a website’s terms and conditions and privacy policy well before their 16th birthday, provided that they understood the nature of the contract. Nevertheless, it is well established at common law that contracts entered into by minors are voidable at the minor’s option but remain binding on the other party. Information society service providers could therefore be at risk of a minor voiding their consent to the processing of their data months after accessing a website or app.

Similar risks arise under Scots law. In Scotland a child acquires full legal capacity at the age of 16, but can enter into contracts of a kind commonly entered into by people of his age and circumstances, provided that the terms are not unreasonable. As in England and Wales, this has historically allowed children to enter into simple transactions such as buying sweets or bus tickets.

Now that young people access websites and apps every day and are often as digitally aware as many adults, it is probably the case that they can legally consent to terms and conditions on their own behalf. Clearly, though, there will be a lower cut off age – a child of five can hardly be expected to properly understand YouTube’s terms and conditions. Any terms to which a child in England and Wales or Scotland will be consenting should therefore be in clear and plain language that a child can easily understand.

For some providers of information society services that will present a challenge. It is often tempting to use comprehensive terms and conditions for online services, but if a child will access a website regardless, is it perhaps better to draft terms of use that are capable of binding the child rather than disappear down the rabbit hole of having no binding terms of use at all? The latter approach may actually provide all parties with greater certainty.

Will the New Threshold Actually Protect Children?

Clearly there are legal and practical difficulties with the GDPR’s proposed age of consent, but campaigners have also questioned whether it is desirable from a policy perspective. Whilst an increased digital age of consent might seem like a good way to protect children, online safety experts expressed their concerns in an open letter published in December.

The signatories to the letter point out that increasing the age limit for consent is artificial, as research shows that young people are adept at controlling the information they share online, more so than many adults. Moreover, they highlight the important role played by digital platforms and social media in self-development and education.

The requirement to obtain parental permission could restrict the access children have to valuable online resources. Such resources include not only educational services, but also online support and advice to children suffering from abuse or online bullying. Indeed, it could actually lead to an erosion of the child’s privacy as such advice and information could not be sought in confidence.

What Should Providers of Online Services Be Doing?

As yet, there has been no formal announcement from the UK Government on whether a lower age limit will apply in the UK.

Either way, the new hard-wired age will require providers of information society services that might be used by children to think about how and why they collect data, how they communicate that to users and how they can ensure that appropriate consents are obtained. It will no longer be sufficient to simply state that a child under a certain age should not use the service.

As with many areas of the GDPR, data controllers will welcome an early steer from the national data protection authorities on the approach that they should be taking.

Martin Sloan is a partner, and Kathryn Alexander is a trainee, in the Commercial Services Division at Brodies LLP. Blog: http://techblog.brodies.com / Twitter: @BrodiesTechblog



[1] Information Commissioner’s Office Personal Data Online Code of Practice https://ico.org.uk/media/for-organisations/documents/1591/personal_information_online_cop.pdf