UK wants to force internet companies to think of the children

A UK regulator has drafted 16 things internet companies need to do to help protect children online or else.

Scott Bicheno

April 15, 2019

4 Min Read
Teenagers using smartphone apps

A UK regulator has drafted 16 things internet companies need to do to help protect children online or else.

To be precise it has launched a consultation of a document called ‘Age appropriate design: a code of practice for online services’, but there is little precedent for these consultations resulting in anything other than plan A being fully implemented. It lays down a bunch of rules that anyone providing online services that could be accessed by children – i.e. nearly all of them – need to do.

“This is the connected generation,” explained Information Commissioner Elizabeth Denham. “The internet and all its wonders are hardwired into their everyday lives. We shouldn’t have to prevent our children from being able to use it, but we must demand that they are protected when they do. This code does that.

“The ICO’s Code of Practice is a significant step, but it’s just part of the solution to online harms. We see our work as complementary to the current focus on online harms and look forward to participating in discussions regarding the Government’s white paper.”

There are many conceits and Orwellian aspirations implied in those two short statements, not least the inference that the government could prevent children from being able to access the internet if it wanted to. But then nobody’s in favour of harm are they, so surely this is all for the best. Here’s a summary of the 16 commandments.

  1. Best interests of the child

Protect them from any conceivable harm but you’re still allowed to make money so long as you do that.

  1. Age-appropriate application

If you can stop kids accessing your stuff then don’t worry about all these rules.

  1. Transparency

Provide clear privacy information, including ‘bite sized’ explanations at the point at which use of personal data is activated that kids can understand.

  1. Detrimental use of data

Don’t use kids’ data in a way that might be detrimental to them.

  1. Policies and community standards

Implement your own policies.

  1. Default settings

Privacy settings must be ‘high’ by default be difficult to change. Reset existing user settings accordingly.

  1. Data minimisation

Only collect the minimum amount of data you need to provide your service.

  1. Data sharing

Don’t share kids’ personal data unless you’ve got a really good reason to do so.

  1. Geolocation

Switch it off by default unless you’ve got a really good reason not to and even than make it clear that it’s on.

  1. Parental controls

Let kids know when their parents are keeping an eye on them.

  1. Profiling

Turn it off by default unless you’ve got a really good reason not to and even then think of the children.

  1. Nudge techniques

Don’t try to persuade kids to lower their privacy protections and don’t use things like reward loops to keep kids engaged. This could even include ‘likes’.

  1. Connected toys and devices

All this applies to them too.

  1. Online tools

Give kids tools to protect themselves online and make them prominent.

  1. Data protection impact assessments

A bureaucratic process to demonstrate you’ve complied with these rules.

  1. Governance and accountability

More bureaucracy to show you’ve done what you’re told.

“If you don’t comply with the code, you are likely to find it difficult to demonstrate that your processing is fair and complies with the GDPR and PECR,” warns the consultation document. “If you process a child’s personal data in breach of this code and the GDPR or PECR, we can take action against you.

“Tools at our disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, we have the power to issue fines of up to €20 million or 4% of your annual worldwide turnover, whichever is higher.”

Some of the above points, such as 3, 5 and 14 seem perfectly sensible, but taken all together this initiative seems designed to massively increase the bureaucratic burden on nearly all internet companies. As ever the largest ones can just call on their compliance departments to mitigate the restrictions and keep the companies out of trouble. Small ones, however, may have to just impose age restrictions.

In that respect this seems like an extension of UK porn block law, which Wired does a good job of picking holes in below. At the very least this sort of thing is great news for VPN providers. The announcement coincides with  the European Copyright Directive clearing its final hurdle, so before long everyone will be able to access the internet secure in the knowledge that nothing bad will ever happen to them.


About the Author(s)

Scott Bicheno

As the Editorial Director of, Scott oversees all editorial activity on the site and also manages the Intelligence arm, which focuses on analysis and bespoke content.
Scott has been covering the mobile phone and broader technology industries for over ten years. Prior to Scott was the primary smartphone specialist at industry analyst Strategy Analytics’. Before that Scott was a technology journalist, covering the PC and telecoms sectors from a business perspective.
Follow him @scottbicheno

Get the latest news straight to your inbox.
Register for the newsletter here.

You May Also Like