Gen X, Y, Z...Stealth?

Will Centennials be the first data-protected generation?

The United Kingdom’s new data protection laws seek to protect children online by significantly limiting companies’ ability to collect their information and to utilize it to recommend content. The new laws represent the fulfillment of the UK’s commitment to create child-specific requirements for designers and developers as part of the sweeping data protection laws in the General Data Protection Regulation (GDPR) of the European Union’s 2018 Data Protection Act. Companies operating online services were sent scrambling to post notices and create or enhance users’ ability to manage their data privacy, and resulting in hundreds of millions in fines. To date, companies like British Airways ($230M), Marriott ($123M), and Google ($57M) have paid about half a billion in fines, and many others are under investigation. 

Britain’s Age Appropriate Design Code (AADC) is stricter than US law. First, there’s the age limit (under 13 in the US vs. under 18 in the UK), then the stated maximum penalty (up to 4% of a company’s worldwide revenue in the UK, though the US’ FTC assessed Facebook the largest ever fine of $5B), and then there’s the breadth and depth of the requirements and the scope (15 principles that require considerations beyond simple data collection, e.g. for the risk of sexual exploitation, psychological and emotional development, protection and support for developing their own views, and recognition of the role of parents). The range of companies it effects is notable (and forward-looking)—online services, games, content, apps, advertisers, social media, marketplaces, connected toys, and any business that sells products/services via its website. And finally, its continued fortification of the Information Commissioner's Office enforcement powers.

To comply with AADC, companies are expected to design and develop child-friendly products/services with the highest possible data protection settings by default (with robust age-verification mechanisms so that adults can opt out of child protections), and to limit their collection and sharing of data to very limited circumstances required to deliver age-appropriate products/services. 

Industry groups representing Amazon, Facebook, Google, digital ad agencies, media companies, and startups lobbied to weaken the rules developed by Britain’s information commissioner and independent regulator, Elizabeth Denham. There chief complaints were the lack of technical specificity and concerns that they may not be able to identify the children among their users without collecting more data than they do currently; that older children or teens will be unable to access content that’s appropriate to their levels of maturity; and that the companies may not be able to offer their products/services via their current revenue models (ad-funded and free/low cost to consumers or financed via data sharing/sale), if at all.

The largely unchanged AADC is expected to be adopted within the next two months. Data breaches are on the rise (160,000 since implementation of GDPR), as are cyberbullying and associated suicides among school-aged children worldwide.

Will these new rules make the online services and experiences safer for children? Will other countries adopt stricter regulations regarding children's data privacy? Will AADC influence companies to change the way they collect, use and sell children’s data—or all users' data? Or, will companies simply use this as a reason to craft premium kids-only/data-protected services? 

What do you think?