At what age should children be allowed to access the internet without parental oversight? This is a hairy question that raises all sorts of issues about rights, freedoms, morality, skills, and cognitive capability. Cultural values also come into play full force on this one.
Consider, for example, that in the 1800s, the age of sexual (and marital) consent in the United States was between 10 and 12 (except Delaware, where it was seven). The age of consent in England was 12, and it’s still 14 in Germany. This is discomforting for many Western parents who can’t even fathom their 10- or 12-year-old being sexually mature. And so, over time, many countries have raised the age of sexual consent.
But the internet has raised new questions about consent. Is the internet more or less risky than sexual intercourse?
How can youth be protected from risks they cannot fully understand, such as the reputational risks associated with things going terribly awry? And what role should the state and parents have in protecting youth?
This ain’t a new battle. These issues have raged since the early days of the internet. In 1998, the United States passed a law known as the Children’s Online Privacy Protection Act (COPPA), which restricts the kinds of data companies can collect from children under 13 without parental permission. Most proponents of the law argue that this intervention has stopped countless sleazy companies from doing inappropriate things with children’s data.
I have a more cynical view.
Watching teens and parents navigate this issue — and then surveying parents about it — I came to the conclusion that the law prompted companies to restrict access to under-13s, which then prompted children (with parental knowledge) to lie about their age. Worse, I watched as companies stopped innovating for children or providing services that could really help them.
Proponents often push back, highlighting that companies could get parental permission rather than just restrict children. Liability issues aside, why would they? Most major companies aren’t interested in 12-year-olds, so it’s a lot easier to comply with the law by creating a wall than going through a hellacious process of parental consent.
So here we are, with a U.S. law that prompts companies to limit access to 13-plus, a law that has become the norm around the globe. Along comes the EU, proposing a new law to regulate the flow of personal data, including a provision that would allow individual countries to restrict children’s access to the internet at any age (with a cap at age 16).
Implicitly, this means the European standard is to become 16-plus, because how else are companies going to build a process that gives Spanish kids access at 14, German kids at 16, and Italian kids at 12?
Many in the EU are angry at how American companies treat people’s data and respond to values of privacy. We saw this loud and clear when the European Court of Justice invalidated the “safe harbor” and in earlier issues, such as “the right to be forgotten.” Honestly? The Europeans have a right to be angry. They’re so much more thoughtful on issues of privacy, and many U.S. companies pretty much roll their eyes and ignore them. But the problem is that this new law isn’t going to screw American companies, even if it makes them irritable. Instead, it’s going to screw kids. And that infuriates me.
Implicit in this new law — and COPPA more generally — is an assumption that parents can and should consent on behalf of their children. I take issue with both. While some educated parents have thought long and hard about the flows of data, the identity work that goes into reputation, and the legal mechanisms that do or don’t protect children, they are few and far between.
Most parents don’t have the foggiest clue what happens to their kids’ data, and giving them the power to consent sure doesn’t help them become more informed. Hell, most parents don’t have enough information to make responsible decisions for themselves, so why are we trusting them to know enough to protect their children?
We’re doing so because we believe they should have control, that they have the right to control and protect their children, and that no company or government should take this away.
The irony is that this runs completely counter to the treaty that most responsible countries signed at the UN Convention on the Rights of the Child. Every European country committed to making sure that children have the right to privacy — including a right to privacy from their parents. Psychotically individualistic and anti-government, the United States decided not to sign onto this empowering treaty because it was horrifying to U.S. sensibilities that the government would be able to give children rights in opposition to parents. But European countries understood that kids deserved rights. So why is the EU now suggesting that kids can’t consent to using the internet?
This legislation is shaped by a romanticization of parent-child relationships and an assumption of parental knowledge that is laughable.
But what really bothers me are the consequences to the least-empowered youth. While the EU at least made a carve-out for kids who are accessing counseling services, there’s no consideration of how many LGBTQ kids are accessing sites that might put them in danger if their parents knew. There’s no consideration for kids who are regularly abused and using technology and peer relations to get support. There’s no consideration for kids who are trying to get health information, privately. And so on. The UN Rights of the Child puts vulnerable youth front and center in protections. But somehow they’ve been forgotten by EU policymakers.
Child advocates are responding critically. I’m also hearing from countless scholars who are befuddled by and unsure of why this is happening. And it doesn’t seem as though the EU process even engaged the public or experts on these issues before moving forward. So my hope is that some magical outcry will stymie this proposal sooner rather than later. But I’m often clueless when it comes to how lawmakers work.
What baffles me the most is the logic of this proposal given the likely outcomes. We know from the dynamics around COPPA that, if given the chance, kids will lie about their age. And parents will help them. But even if we start getting parental permission, this means we’ll be collecting lots more information about youth, going against the efforts to minimize information. Still, most intriguing is what I expect this will do to the corporate ecosystem.
Big multinationals like Facebook and Twitter, which operate in the EU, will be required to follow this law. All companies based in the EU will be required to comply with this law. But what about small non-EU companies that do not store data in the EU or work with EU vendors and advertisers? It’s unclear if they’ll have to comply because they aren’t within the EU’s reach. Will this mean that EU youth will jump from non-EU service to non-EU service to gain access? Will this actually end up benefiting non-EU startups who are trying to challenge the big multinationals? But doesn’t this completely undermine the EU’s efforts to build EU companies and services?
I don’t know, but that’s my gut feeling when reading the new law.
While I’m not a lawyer, one thing I’ve learned in studying young people and technology is that when there’s a will, there’s a way. And good luck trying to stop a 15-year-old from sharing photos with her best friend when her popularity is on the line.
I don’t know what will come from this law, but it seems completely misguided. It won’t protect kids’ data. It won’t empower parents. It won’t enhance privacy. It won’t make people more knowledgeable about data abuses. It will irritate but not fundamentally harm U.S. companies. It will help vendors that offer age verification become rich. It will hinder EU companies’ ability to compete. But above all else, it will make teenagers’ lives more difficult, make vulnerable youth more vulnerable, and invite kids to be more deceptive. Is that really what we want?
(This was originally posted on Bright on Medium.)