Britain takes big steps to protect kids' privacy. Advocates hope the U.S. will be next.
WASHINGTON -- The sweeping new protections Britain just proposed for children online stand in stark contrast to the narrow, decades-old American law protecting minors' digital privacy.
The new standards unveiled Tuesday by a British data watchdog would require companies ranging from social networks to gaming apps to provide children a "built-in baseline of data protection." Platforms such as YouTube, TikTok and Instagram will have to ensure children have the highest privacy settings by default, and targeted advertising and location tracking for children must be turned off by default.
These proposed rules, known as the Age-Appropriate Design Code, also require companies to consider the "best interests" of children when designing new services, making sure they collecting data in a manner that protects children from exploitation and supports their psychological development.
"There are laws to protect children in the real world -- film ratings, car seats, age restrictions on drinking and smoking," Elizabeth Denham, the United Kingdom's information commissioner, said in a news release. "We need our laws to protect children in the digital world too."
She added: "In a generation from now, we will look back and find it astonishing that online services weren't always designed with children in mind."
The rules, which are now awaiting approval from Parliament, are just the latest sign that Europe is a step ahead of the United States on regulating privacy. And some American advocates are hopeful the privacy push across the pond could put pressure on Congress and U.S. regulators to take action.
They argue the U.S. children's privacy law is overdue for an update: It was written more than 20 years ago, before the advent of smartphones and many of the services that the U.K. regulations address.
James Steyer, the chief executive and founder of the families advocacy nonprofit group Common Sense, told The Technology 202 that he's "thrilled" to see Britain taking steps to protect children online.
"Young people should be able to learn, grow and benefit from technology without being subject to harms and this code establishes standards for companies to follow and prioritize children's best interests," he told me in an email. "Parents, teachers and families everywhere deserve such safeguards, and we hope the U.S. soon follows suit."
There are signs that the appetite to address children's privacy is growing on this side of the Atlantic. The Federal Trade Commission has been stepping up its efforts to address children's privacy in recent months, hittingYouTube with a record $170 million fine for allegedly violating the children's privacy law. YouTube had to make changes to how it addresses children's content on its service per its settlement with the agency. The agency has also launched a review of the Children's Online Privacy Protection Act (COPPA) that could result in updates.
But Congress has been slow to act. Children's digital privacy appeared to be one of the rare issues of bipartisan consensus in Washington last year, but lawmakers have yet to gain serious traction for proposals that would update COPPA, which was written in 1998 and only applies to children under 13.
Edward Markey, D-Mass., and Sen. Josh Hawley, R-Mo., introduced legislation in March that would update the law to include privacy provisions to protect teens under 16. It would also introduce a "Digital Marketing Bill of Rights for Minors" that would limit the collection of children's personal information, and create a new division at the FTC dedicated to children's privacy. Some lawmakers have said elements of it could be included in a broad federal privacy bill. Reps. Tim Walberg, R-Mich., and Bobby Rush, D-Ill., introduced similar legislation in the House earlier this month, The Hill reports.
However, it's unlikely that any children's privacy policies in the U.S. would be as aggressive as the U.K. code. The new rules are rooted in Europe's broad data privacy law, the General Data Protection Regulation. Like GDPR, companies that fail to comply would face steep fines of up to 4 percent of global revenue. By contrast, the U.S. currently does not have a general federal online privacy law.
British industry groups and companies have also challenged the rules, warning that it could place a burden on start-ups and give an advantage to large tech companies that have more resources for compliance.
"The UK has been pioneering in relation to its protection of children on the Internet, particularly its move toward protecting children's data online, which is very fresh," Victoria Nash, deputy director of the Oxford Internet Institute and an expert on children's use of digital services, told The Financial Times. "However, my two concerns are that this wide-ranging regulation tends to increase monopoly power of big tech firms, rather than decrease it. The second is a slight residual concern that it focuses on specific features or tools [like geolocation], which aren't in themselves always problematic."
If the code is approved by Parliament, companies would have a 12-month period to update their practices, and it would come into full effect by autumn 2021, the British data regulator predicts.