In 1995, a grumpy football pundit called Alan Hansen famously said you can’t win anything with kids. But times have changed for the nation’s favourite pastimes (football and data protection), and it’s now widely accepted that (1) although they grow up so fast these days, (2) children need to be protected online more than ever before.
Unlike the Data Protection Directive, which was silent on this area, the GDPR contains a range of provisions to enhance the protection of children’s personal data. These include requirements on companies to design products and services with minors in mind and rules around obtaining parental consent where “information society services” are offered to children under the age of 16 (which can be lowered to 13 years old, as in the UK).
Those protections were timely, given the prevalence of smartphone use amongst children. Half of all 10-year-olds in the UK own a device – and if my household is anything to go by, they want to be on them ALL THE TIME.
For that reason, it’s notable that there has been little focus on enforcing kids’ privacy rights under the GDPR. That’s now starting to change. Last week, the children’s commissioner for England supported a case that may be brought against social media platform du jour TikTok for using children’s data unlawfully. The proposed litigation, which is being led by an unidentified 12-year-old girl, follows recent high-profile actions involving various social media giants’ use of children’ personal data, by regulators (Italy) and private parties (the UK) alike.
These cases raise issues that go to the heart of how platforms operate and the challenges they face in dealing with underage users. For example, how will regulators and courts interpret the requirement to obtain and demonstrate parental consent? Address the difficulties of policing terms of service that prohibit young children from using a platform or app? Calculate damages for potentially millions of children?
The answer to these questions will be closely watched by lawyers, platforms and parents across Europe. But probably not by Alan Hansen.
The personal data at issue is used in an algorithm which analyses the user's preferences in order to tailor the content presented to them to capture and keep their attention.