The Digital Age of Consent: 2 Years Later
THE LONG READ: On the occasion of the second anniversary of the digital age of consent being set in Ireland as 16, professor Brian O’Neill and Cliona Curley, take stock of its impact on children and asks if anything has fundamentally changed since its introduction.
The General Data Protection Regulation (GDPR) came into effect across Europe two years ago on May 25th, 2018 and brought the issue of children’s personal data to the fore.
The GDPR introduced for the first time in the European Union special privacy protections for children. Children were identified in the GDPR as “vulnerable individuals” meriting “special protection” as data subjects. The processing of children’s data in the context of their social media use was a focal point of discussion at that time, giving rise to a heated debate regarding the so-called “digital age of consent” which in Ireland has been set at 16 years.
One year ago, on the first anniversary of the GDPR’s introduction, CyberSafeIreland commissioned research to examine the measures social media services, at least those that are popular with children, had introduced in response, particularly in relation to age verification mechanisms. To coincide with the second anniversary of GDPR, this study has now been repeated and provides an opportunity to see if anything has fundamentally changed.
The continuing impact of COPPA alongside GDPR
So, how is it that children, many of them underage, continue to use social media services in large numbers in contravention of age restrictions and certainly the intent of GDPR?
By contrast, the GDPR does not specify how parental consent should be obtained, nor does it oblige service providers to obtain any additional verification of age once users register, truthfully or otherwise, to access their service. Such guidance or more specific restrictions are likely to come from codes of conduct which the GDPR encourages member states and supervisory authorities to develop but which are not yet in place. In the meantime, most social media service providers have responded by limiting the data they collect from users under the digital age of consent, thereby also limiting some functionality, while continuing to place the main emphasis on restricting access to under-13s in order to avoid infringing COPPA regulations.
Underage use of social media
Through its regular surveys of 8 to 12 year olds’ use of digital technologies, CyberSafeIreland has followed closely the use of social media and messaging services by children 13 years and young. Its most recent Annual Report found a high level of underage use with 48% of 8 year olds, 45% of 9 year olds and steadily increasing use from age 10 (55%) up to 13 (96%) active on social media.
The 2020 review of age verification mechanisms for the 10 most popular social media apps used by children found that it is possible to get around age restrictions simply by lying about your age (see Table 1).
If a user is initially honest in entering their age and tries gain access as an under-13 year old, some companies, notably TikTok, have made it distinctly harder to go back and try to sign up with a false age. This might be best described as a deterrent (rather than a barrier) to underage users. Messenger, Facebook and HouseParty, for instance, also made it somewhat more difficult to re-register and had to be re-installed before allowing a user to re-start the sign-up process. However, in all cases, the researcher was able to successfully get around the restrictions and set up a user account without encountering any further attempt at age verification.
Regulating for underage use
The purpose of GDPR in relation to children’s data was always a matter of privacy protection rather than safety or regulating against underage use of social media. The debate on the digital age of consent did focus attention on prevailing age restrictions and certainly raised general awareness, including among parents, about the appropriate age for use of digital technologies more generally. However, a key concern is that by incentivising children to lie about their age to access social media (and seeing that is feasible to do so), children are likely to be more vulnerable online as they seek to avoid the constraints that GDPR may entail.
The full findings of the 2020 Technical Report: A Review of Age Verification Mechanisms for 10 Social Media Apps are available here.
Professor Brian O’Neill, Technological University of Dublin (TUD), is a researcher of young people’s use of digital technologies, online safety and policy for the digital environment. He is member of the Internet Safety Advisory Board for the Safer Internet Ireland programme. He also leads the EU Kids Online project in Ireland and is a board advisor for CyberSafeIreland.
Cliona Curley worked in law enforcement in the UK for many years, specialising in cybercrime investigation. She is Programme Advisor of CyberSafeIreland, a not for profit organisation that delivers online safety education to primary school children and their parents and she is also working towards a PhD in the Computer Science Programme at UCD
To see Table 1: Summary of test results for Top 10 Special Media Apps, click here.
“GDPR & ePrivacy Regulations” by Dennis Convert is licensed under CC BY 2.0
CyberSafeKids is an Irish charity, which has been empowering children, parents, schools and businesses to navigate the online world in a safer and more responsible way since 2015.