UK closely probing four tech firms over kids’ privacy code breaches

The UK could be gearing up to hit a handful of tech firms with enforcement orders (and potentially fines) related to a children’s online privacy and safety Code which has been in force for a year.

“The ICO are currently looking into how over 50 different online services are conforming with the code, with four ongoing investigations. We have also audited nine organisations and are currently assessing their outcomes,” the data protection watchdog said in a blog post yesterday marking the one-year anniversary of the Code coming into application.

The Telegraph, which has interview with information commissioner, John Edwards — who heads up the Information Commissioner’s Office (ICO) — in today’s paper reports that two of the four social media and tech firms under investigation are household names.

Its reports says decisions by the ICO on whether to prosecute are expected to be announced within weeks.

“This code makes clear that children are not like adults online, and their data needs greater protections,” Edwards told the Telegraph. “We’ll use our enforcement powers where they are required.”

The companies in question have not been named — either by the newspaper or the ICO — but last November, the watchdog wrote to Apple and Google after concerns had been raised with it about how the pair assess apps on their respective mobile app stores to determine which age ratings they apply.

The ICO described its outreach then as an “evidence gathering process to identify conformance with the code” — although it remains to be seen whether the two tech giants are among the four firms facing possible enforcement, or if they’re just among the wider group whose compliance the watchdog has been eyeing.

“Unfortunately, we are unable to name the companies at the minute due to ongoing investigations,” a spokeswoman for the ICO confirmed when asked if it can share any more details.

The ICO first published the children’s Code back in 2020. It contains 15 standards for what’s billed as “age appropriate design” — essentially it’s a set of design recommendations for web services that are likely to be accessed by kids, containing recommendations such as setting high privacy defaults and not using heavy-handed engagement tactics that could keep kids unhealthily hooked on using a digital service.

The overarching aim is for the Code to encourage to platforms to safeguard kids from accessing inappropriate content and prevent them being commercially data-mined, although the ICO regulates personal data (rather than content) — the latter responsibility will fall to Ofcom under the incoming Online Safety Bill (assuming another change of UK prime minister does not lead to a legislative rethink on that front).

This division of regulatory responsibilities has led to some friction from children’s safety campaigners who, while supportive of the Code — and, indeed, even more than that in the case of 5Rights’ chair and life peer, Baroness Kidron, who was a fundamental driver for adoption of the standards (and continues to press for amendments from her seat in the House of Lords) — have complained of “gaps”, as they wait for content-focused safety laws to make their way through parliament.

The ICO has therefore faced pressure to also be looking at adult websites — i.e. by requiring that porn sites also comply with the Code — not just auditing the sorts of games and social media apps that are most obviously popular with children.

Age checks for porn sites?

The overarching push by child safety campaigners is to force adult websites to apply robust age checks to prevent children accessing online pornography — so, basically, a revival of a mandatory age checks for porn sites policy that’s been kicked about by UK lawmakers for years — most recently revived (earlier this year) as an(other) addition to the Online Safety Bill after a standalone age check scheme was dropped in 2019 after facing criticism that it was unworkable.

Campaigners may finally be scenting victory on this front, via the Online Safety Bill, as the government said in February that it will mandate the use of “age verification technologies” on adult sites to make it harder for children to access or stumble across pornography. But they’re evidently not sitting on their hands waiting for that legislation to pass — not when the Children’s Code and UK data protection law already exists for them to leverage…

And in what looks to be a related change to its approach, announced yesterday, the ICO has bowed to pressure to expand its interpretation of the Code to cover pornography websites — or at least those that are “likely” to be accessed by children (whatever that means) — writing in its blog post that: “We have… revised our position to clarify that adult-only services are in scope of the Children’s code if they are likely to be accessed by children.”

The ICO says this evolution in how it applies the Code follows petitions by child safety campaigners and others warning of the risk of “data protection harms” when kids access porn sites.

“We will continue to evolve our approach, listening to others to ensure the code is having the maximum impact,” it goes on. “For example, we have seen an increasing amount of research (from the NSPCC, 5Rights, Microsoft and British Board of Film Classification), that children are likely to be accessing adult-only services and that these pose data protection harms, with children losing control of their data or being manipulated to give more data, in addition to content harms.”

This change in application does not (cannot) entail an expansion of what the ICO regulates to include content itself. (“We don’t regulate content,” its spokeswoman confirmed. “We regulate how children’s personal data is used or processed in order for content to be served to children. It’s the step before children see the content.”)

However it’s clear that porn sites’ data collection habits are not the primary concern for child safety campaigners — rather it’s, yep, the content — but if campaigners can leverage children’s privacy rules to force porn sites to implement age checks they don’t look too fussy.

In a statement welcoming the ICO’s revision to include adult-only sites in scope of the Code, children’s safety campaign group, the 5Rights Foundation, said:

“The UK Age Appropriate Design Code applies to all services that are likely to be accessed by under-18s, even if they are not intended for children. Through its investigative work submitted to the ICO last year, 5Rights uncovered that sites including gambling, dating and pornography sites are being accessed by children and are not complying with the Code, in particular profiling children to serve detrimental material.”

“The ICO’s announcement on adult-only sites will provide much needed clarity to those companies who think they are beyond the law,” added Duncan McCann, its head of policy implementation, in another supporting statement. “They will no longer have grey lines to exploit, and we hope that this development will serve to further improve the online lives of young people.”

While the UK children’s Code itself is not legally binding, it is attached to the country’s wider data protection rules — which include the Data Protection Act and UK GDPR — and ICO guidances notes that applicable online services “need to follow” the standards in order to “ensure they are complying with their obligations under data protection law to protect children’s data online”.

Under the GDPR, the ICO has extensive powers to enforce against privacy breaches — with the ability to fine infringers up to 4% of their global annual turnover (or up to £17.5M, whichever is higher). So the subtext here is basically ‘comply with the code or risk GDPR-level enforcement’ — giving the ICO a big stick to encourage in-scope digital services to apply goldplating rules that could end up in an age-gated Internet, since who knows which other services might be “likely” to be accessed by kids?

Asked how adult websites should assess whether children are likely to access their services, the ICO’s spokeswoman responded with this: “Services must be accountable for their decisions, and be able to provide evidence to support their views on whether they are likely to be accessed by children. To determine if they fall within the scope of the code, adult services will need to understand who their users are, and identify if children make up a significant number of those users. To do this, online service could undertake research about their users, review academic research or commission market research, consideration of the types of content and activities children are interested in and the attractiveness of their services to children; or consider if children are known to like similar services.”

The phrase “understand who their users are, and identify if children make up a significant number of those users” is doing a lot of work in that sentence — although the ICO has not explicitly suggested the use of age verification technology as a way for a service to determine whether it falls in scope of the Code. That comes next…

“If an adult only online service is likely to be accessed by children, the service needs to take measures to restrict children from accessing the service, such as by implementing age assurance measures, or it must implement the standards of the code in a proportionate, risk-based manner to protect children’s privacy online,” the ICO’s spokeswoman also told us, adding: “It’s vitally important to look after children online and not treat them in the same way adults are treated. It is a long term, transformative process to embed the Children’s code but we are seeing more and more change which is good for children, it allows the online industry to be more innovative and it’s the right thing to do.”

The ICO’s blog post also notes that the (privacy) regulatory will be working with Ofcom (the incoming content regulator) and the Department for Digital, Culture, Media and Sport (DCMS) to “establish how the code works in practice in relation to adult-only services and what they should expect”. So expect further implementation ‘evolution’ as more pieces of the UK’s digital regulation strategy land (or, well, fall away).

The ICO is already taking credit for a number of policy tweaks applied by major platforms to children’s accounts, including Facebook, Instagram, YouTube, Google and Nintendo, over the past year — such as the Meta-owned platforms limiting targeting to age, gender, and location for under-18s; and YouTube turning off autoplay by default and turning on take a break and bedtime reminders by default for Google Accounts for under 18s, to name two of the actions it flags.

The UK Code has also been credited with encouraging similar policy moves in other jurisdictions — reportedly inspiring a California bill that was passed by lawmakers just this week (and will, if it’s gets signed into law, apply a similar set of protections for under-18s in the state), among a number of other moves by other regulators and policymakers focused on safeguarding kids online.

Apple, Google questioned by ICO over app age ratings after UK child safety charity raises concerns

The UK’s data protection watchdog has written to Apple and Google seeking details of how they assess apps to determine the age ratings they apply following concerns raised by an online child safety charity.

The move follows the coming into force of the UK’s Age Appropriate Design Code this September — which puts requirements on digital services that are likely to be accessed by children to prioritize protecting their privacy and safety.

In a statement today the information commissioner, Elizabeth Denham, said her office is currently conducting an “evidence gathering process to identify conformance with the code, and thus compliance with the underlying data protection law”.

The information commissioner was responding to a letter from the 5Rights Foundation — a digital child safety charity which conducted research over the summer to investigate compliance with the Code; and says it found 12 “systemic” breaches, including insufficient age assurance; mis-advertisment of minimum ages for games on app stores; the use of dark patterns and nudges; data-driven recommendations that create risks for children; a routine failure to enforce community standards; low default privacy settings; and plenty more besides.

“In this process, the ICO is taking a systemic approach; we are focusing our interventions on operators of online services where there is information which indicates potential poor compliance with privacy requirements, and where there is a high risk of potential harm to children,” Denham also wrote in reply to the 5Rights Foundation, adding that as part of this work the ICO has contacted Apple and Google — “to enquire about the extent to which the risks associated with the processing of personal data are a factor when determining the age rating for an app”.

The tech giants have been contacted for comment on the development.

Both operate app stores which apply age ratings to apps that are made available for download — potentially by children — meaning their platforms come under the scope of the Code.

The ICO is not singling out Apple and Google, however — saying today that it’s written to a total of 40 organizations across the three tech sectors it considers highest risk for kids — namely social media/messaging; gaming; and video/music streaming — “to determine their standards of conformance individually”.

It adds that it will write to a further nine companies following the charity highlighting a raft of concerns — bringing the total number of digital services under regulatory review to almost 50.

The ICO has not published the full list of tech companies it has targeted for Code compliance questions.

Nor does the 5Rights Foundation appear to have published the list of companies it’s raising concerns about (but it has passed their names to the regulator).

Its correspondence to the ICO also refers directly to Facebook whistleblower, Frances Haugen’s recent testimony to lawmakers, which includes warnings over the toxicity of platforms like Instagram for teens’ developing brains — suggesting the social media giant (now known as Meta) is likely on its list.

The charity’s chair, Baroness Kidron, was instrumental in pushing for the Code’s set of headline standards to be established by the ICO in the first place, as part of the UK’s existing data protection legislation.

Although the Code only came into force at the start of September the standards were published at the start of last year — with the ICO opting to give business a long grace period to come into compliance.

So, in one sense, it’ll be difficult for established businesses to argue that they haven’t had enough time to make the necessary changes.

Moreover, while the ICO doesn’t exactly have a reputation as a pro-active enforcer of digital rights, child safety groups like the 5Rights Foundation don’t look like they’ll be content to let enforcement sit still for long.

“There is a danger that the Code is being interpreted as introducing a handful of safety measures, rather than a requiring a holistic re-design of the systems and processes of services to ensure their data collection practices are in the best interests of children,” the 5Rights Foundation warns in its letter. “If the Code is to have real value in protecting children’s safety and rights in the digital environment, the ICO must make sure that it is respected in practice.”

Kidron also suggests that the “systemic” nature of the problems the 5Rights Foundation’s research unearthed suggests that while the issues were identified ahead of the Code coming into force this fall, “many” will likely persist — hence it’s urging the ICO to investigate “apparent breaches” and publish guidance.

In her response, Denham suggests a timeline of next spring for the ICO to take some sort of action, writing: “In terms of timescales, we need to take the time to understand what the information gathered is telling us systemically and individually. Our regulatory options will be based on that careful understanding and as such I expect that we will progress to next steps in spring 2022.”

But it’s notable that she has written “next steps” — rather than actual enforcement.

This suggests there may be a far longer dance of the ICO trying to ‘encourage’ improvements from the tech industry vs muscular enforcement on platform giants — as we’ve seen in the case of systemic breaches of data protection law by the adtech industry (which the ICO has been ‘investigating’ for years, just without taking any enforcement action).

See, for example, the discussion later in Denham’s letter to Kidron of “stakeholder roundtable events” where she says it’s planning to gather evidence about the use of age assurance tech, specifically, that will be “used to inform the scope of any further regulatory action in relation to age assurance”.

On age assurance — aka, technologies and techniques used to try to determine the age of a user to figure out if they are underage/a minor — the 5Rights Foundation’s research found “many” services with age restrictions that it said can, nonetheless, “be easily accessed by children under the minimum age of use, including adult-only services”.

It also reports finding some services stating that they do not collect any personal data from children — yet says “many” of these lacked age assurance or else used age assurance that can be easily bypassed (such as asking children to input a birth date, which they can just lie about).

“If these services do not identify child users, it is unclear how they are upholding their own privacy policies or are able to implement the Code,” the charity goes on to warn in the letter.

However the question of how platforms can comply with elements of the cCode like ‘age assurance’ requirements is not exactly a straightforward one.

Last month the ICO put out a call for evidence on age assurance. And in an opinion on the topic, published simultaneously, the regulator offered some tentative guidance for digital service providers — recommending a risk-based approach and suggesting those platforms and apps that pose a “high” risk to children should either apply all relevant code standards to all users to ensure risks are “mitigated”; or introduce age assurance measures that “give the highest possible level of certainty on age of users” (likely to mean age verification rather than age estimation).

For low or medium risk services, the ICO suggested either applying all relevant code standards to all users to ensure risks are “low”; or “introduce age assurance measures that give a level of certainty on the age of child users that is proportionate to the potential risks to children”.

So there’s inherent subjectivity in how platforms assess risks and choose which mitigating measures to apply.

The opinion also highlighted the challenge for digital services in balancing the requirement to protect privacy with applying (potentially) intrusive age assurance techniques, with the ICO writing: “While the Commissioner appreciates the developments in age assurance techniques, technology and policy, more needs to be done to ensure these respect and comply with data protection law.”

The regulator also committed to revisiting the opinion in line with a planned review of the Code in 2022 — “due to the rapidly evolving state of the age assurance market, wider legislative proposals and developing policy landscape”.

Expecting muscular enforcement to rain down in an area where privacy and safety intersect — and even collide — and where there is no simple one-size-fits all solution that will be appropriate everywhere, for every type of service and user — seems, well, unlikely.

Denham’s lengthy letter is not only packed with caveats and qualifications it begins by managing expectations — framing the Code as seeking to drive “proportionate protections that enhance society’s engagement with the digital world” — all of which suggests her office will favor a more pragmatic, tweak-by-tweak, approach to compliance with the Code than some child safety charities (and age assurance tech providers) might prefer.

The UK government is also in the process of consulting on ‘reforming’ the domestic data protection regime — potentially interfering with the independence of the ICO in favor of prioritizing data-fuelled ‘innovation’. So the ICO may get defanged and domestic privacy rights gutted in the not too distant future.

Time will tell how this one plays out. But the UK’s child safety campaigners may end up finding themselves feeling as frustrated as UK privacy advocates — who continue to whistle for regulatory enforcement against systemic breaches (that the ICO has itself identified) years after the country updated its data protection regime to add (at least on paper) a set of teeth…

“I hope you will recognise that as a regulator, the ICO will always face tough choices on how to deploy our limited resources,” Denham cautions Kidron. “As such, this is why our initial focus is on those cases of greatest potential harm with non-conformance across multiple standards.”

She also warns that the ICO will be staying in its lane — such as by not applying the Code’s standards retrospectively.

Denham’s letter is also careful to emphasize that the regulator cannot tackle certain concerns raised by the charity as they don’t fall under its remit or else fall outside the scope of the Code (such as child accessing adult-only websites) — pointing instead to the forthcoming Online Safety Act as the appropriate legislation for that; a content-focused regulation that will be overseen by Ofcom, not the ICO.

“The ICO will continue to work with DCMS [the Department for Digital, Culture, Media and Sport], Ofcom as the intended online safety regulator, and others to ensure that where we can act under current regulation, we do try to prevent underage access. However the solution to the problem is not one that sits squarely within the code or within data protection so is not one the ICO can commit to address entirely,” she adds.