What does GDPR mean for our kids?

You may be wondering what, if any, impact Europe’s sweeping new data law, GDPR (for General Data Privacy Regulation), has on parenting tech users in your life. After all, it went into effect today, and you may’ve seen headlines like the New York Times’s about how it makes Europe the “world’s leading tech watchdog” or the piece in Ad Age pointing out the irony that a data privacy law triggered a tsunami of spam in our email in-boxes (Quartz actually sent an email with the subject: “This is not that kind of email”).

Digital ages of consent across Europe (chart courtesy of U. of Ghent & the EC: betterinternetforkids.eu/web/portal/practice/awareness/detail?articleId=3017751)

More protection, more confusion

The problem is, no one — from researchers to companies — is completely sure how the companies will obtain and verify a parent’s consent. And, practically speaking, how much time will parents really have to go through whatever hoops will be part of providing their consent to multiple companies? GDPR is adding fresh fuel to digital-age parent shaming.

Over-restriction too

CNN reported a statement made by Whatsapp that it “had to make a tradeoff between collecting more information or deciding to keep it simple and raise the minimum age of users to 16 across Europe.” Which brings up an important point about unintended consequences. Age verification means <em>more</em> data is gathered, not less. The more data companies gather and store on people of any age, the more vulnerable those users are to data breaches, identity theft, etc. (and minors’ data are extremely attractive to identity thieves). On the other hand, where appropriate, user data can be used by law enforcement to protect innocents and catch criminals. And when companies don’t verify and thus know users’ ages, they have no way of knowing who’s vulnerable in order to provide protective features for them.

Maybe consult the rights holders?

As Prof. Sonia Livingstone points out in the Parenting for a Digital Future blog, if we’re talking about children’s and teens’ rights, why aren’t we talking with the rights holders? “Children’s voices and experiences have been signally lacking from these debates, largely ignored precisely by the states and European regulatory bodies that have officially promised to recognise their right to be heard.” Two and a half years ago, when the GDPR was being ratified, I wrote that Europe was in effect taking youth digital rights backwards. Because unexpectedly and inexplicably — in a closed-door session and without consulting child online protection experts, much less youth themselves — the policymakers who drafted the GDPR made a modification that raised the EU’s digital age of consent to 16.

Related links

  • A fundamental right of youth, digital and otherwise — enshrined in the UN Convention on the Rights of the Child — is to be consulted in the making of policies that concern them. That right was a full-on oversight by the creators of the GDPR So I was thrilled to read that Prof. Livingstone has started and will lead a new research project to surface “how children themselves understand how their personal data is used and how their data literacy develops through the years from 11–16 years old.” This should’ve been initiated by Brussels years ago, but at least it’s happening now. Read more about it here.
  • About 2011 research on the unintended consequences of COPPA: Did any policymakers in Europe happen to have a look at that?
  • Youth digital rights: My post about their framework almost 4 years ago (I’ll be blogging more on this soon)
  • A helpful explainer of GDPR from the New York Times
  • About EU members’ various digital ages of consent: from the European Commission
  • About all that spam: New York Times tech writer Brian Chen advises people to read, not just delete, the emails and explains why
  • TechCrunch on Facebook’s new Youth Portal educating them on how their data’s being used – aimed, I think, more at teens and parents in other countries, where teen Facebook use is still huge
  • Age verification challenges: Wired has details.
  • Trying to do so much. Possibly because aiming to “ease restrictions on data flows,” give citizens people over their data, protect their right to privacy and spur economic growth, GDPR is necessarily complex and ambiguous, but there’s another reason, suggests Prof. Alison Cool at University of Colorado, Boulder, in an opinion piece in the New York Times: “What are often framed as legal and technical questions are also questions of values. The European Union’s 28 member states have different historical experiences and contemporary attitudes about data collection. Germans, recalling the Nazis’ deadly efficient use of information, are suspicious of government or corporate collection of personal data; people in Nordic countries, on the other hand, link the collection and organization of data to the functioning of strong social welfare systems. Thus, the regulation is intentionally ambiguous, representing a series of compromises.”
  • An analysis of GDPR’s effects by Julia Powles, Cornell Tech and New York University researcher, in The New Yorker
  • Our “wakeup call”: My piece last month about this spring’s pivotal “moment” (or set of converging developments) when “big data” suddenly got personal for people in many societies, especially the US and UK

Youth advocate; blogger, NetFamilyNews.org; founder, The Net Safety Collaborative