Protecting children in the digital playground

The Age Appropriate Design Code from the Information Commissioner’s Office, which has now come into force, ushers in a new set of standards for digital platforms and companies.

These standards are quite comprehensive, and at the core they recognise that children of different ages have the right to participate in an age-appropriate online environment and that platforms must exercise a duty of care towards those children.

Much like amusement parks have height restrictions on rollercoasters, the age-appropriate design code extends that duty of care to digital playgrounds. Critically, verifying users’ ages online would also limit adult strangers’ access to young children, which would significantly enhance safeguarding children online. Given the spike in child sexual abuse activity during Covid-19, this is a significant benefit.

One must consider how the code is to be implemented. Already, examples of changes to policy and practice in relation to children’s use of their services have been rolling in from some of the internet’s biggest players. Facebook, Google and TikTok have all recently made some fairly significant changes to the services and features that will be offered to children. But how are they to know who is a child?

Children are known to routinely lie about their age online and, with the publicity of these changes and new age requirements, will no doubt now feel greater incentive than ever to lie about their age. As a result, they are evading those protections that are actually being implemented to protect their best interests and may actually be put at greater risk by accessing non-age-appropriate content and services.

In advance of the code coming into force, the UK government ran a programme of work entitled the Verification of Children Online (VoCO), which brought together stakeholders from industry such as TikTok, Google, Microsoft and Facebook, all of the mobile operators and internet service providers, to examine this topic in advance of its roll-out.

A series of successful technical trials were run involving BT and TrustElevate, a child age verification and parental consent provider. The trials indicated that it is possible to reliably verify all ages, including under-16s, and for under-13s to verify an assertion of parental responsibility so that a parent can grant, deny or revoke consent to data processing, purchasing and access.

These technical trials aligned with another key element that is a technical standard on identity attribute verification – age/parental status are identity attributes published by the British Standards Institution, which is in the process of becoming an international standard. An identity standards-based approach enables global businesses to meet regulatory requirements stipulated in a raft of regulations, such as the Data Protection Regulation, US Children’s Online Privacy Protection Act, Payment Services Directive and Anti-Money Laundering Directive.

In effect, the UK is demonstrating thought leadership in this arena, not only from a legal perspective in implementing the code and the proposed Online Safety Bill, but also in terms of developing the technical standards that will underpin and support the verification of children online and trialling technical solutions in consultation with industry. The VoCO programme of work also involved child-centric research and a guiding objective is to enable digital parenting in all settings, including, for example, children in care.

All of this work has led to the creation of a new opportunity for companies to meet the age-checking and parental-consent requirements of larger companies. There are a variety of services available, for example age estimation services that rely on processing children’s data, in some instances biometric data, in the absence of parental consent.

Why rely on an estimation of age when you can, in a privacy-preserving manner, reliably, securely and verify age, protect children and your business?

Dr Rachel O’Connell, founder of TrustElevate, is the author of a technical standard published by the British Standards Institution that describes how to verify the age band a person belongs to in a privacy-preserving, secure manner.