Online Age Verification Bill – the answer to a data protection conundrum?

Claire Walker

Datonomy was interested to read about a Private Member’s Bill which received its first reading in the House of Lords recently, and wonders whether this could help to advance the debate on the vexed issue of what constitutes “verifiable parental consent” in an online data protection context.

The Online Purchasing of Goods and Services (Age Verification) Bill, was introduced by Baroness Massey of Darwen and had its first reading on 14 January Short and sweet, the Bill (originally proposed by MP Margaret Moran in 2008 under the Ten Minute Rule) proposes that online providers of age restricted goods and services, as specified by the Government, shall take “all reasonable steps to determine that the person purchasing or otherwise obtaining access to such goods and services meets the specifications of the relevant age restriction”. Service providers failing to make the requisite checks would face criminal liability. Under the Bill, the list of regulated goods and services would not necessarily be limited to products which are already the subject of statutory age restrictions. Service providers failing to make the requisite checks would face criminal liability. The Government would be obliged to publish compliance guidance on an annual basis.
Age verification is a practical rather than a legal problem, and the devil is in the (technological) detail. The current Bill provides only the sketchiest of frameworks and, like most Private Member’s Bills, is unlikely to reach the statute book in its current form. However, its proponents have a serious message, and are using the Bill to throw down the gauntlet to retailers, payment providers and the Government to strengthen child protection in this area. By raising the profile of the issue, the Bill could influence future Government-sponsored legislation.
So, what this got to do with data protection? Although the Bill makes no mention of DP issues, in practice, verifying a purchaser’s age is inextricably linked to gaining a valid consent to the processing of his or her personal data.
In contrast to the United States, which has specific legislation in the form of the federal Children’s Online Privacy Protection Act (COPPA), the Data Protection Act 1998 is more or less silent on the specific issue of how to treat children for data protection purposes (the exception being section 66

However, this is not to say that the Act does not impose strict standards for the handling of children’s data. As avid “Datonomists” will know, the Act sets out very broad principles which a data controller must apply in any given context. All eight principles will need to be observed, but the key issue here is the First Principle – that personal data must be processed fairly and lawfully and that in particular one of the conditions (set out in Schedule 2) must be met. However, there is still a dearth of detailed practical guidance from the Commissioner in this area.
Essentially the ICO’s published guidance on the question of verifiable parental consent has not moved on much from the 1999 legal guidance which suggested that in some circumstances, verifiable parental consent might require the (unattractive option of) paper communications between the data controller and the parent. The Commissioner’s 2007 good practice note on collecting information from websites devotes a section to collecting children’s data (and makes no mention of paper communications), instead giving very broad guidance on proportionate verification measures, but does not suggest what “verifiable” parental consent might mean in practice.
Perhaps this vacuum in the guidance has advantages – in a constantly evolving technological landscape, it gives responsible data controllers the flexibility to devise practical solutions appropriate to their services and to the target age group, and to meet the spirit of the data protection principles.
Indeed, a number of leading commercial data controllers have been taking the lead in formulating self regulatory guidance, in the form of the Children’s Privacy Protection Network The CPPN now boasts an impressive membership of leading brands and organisations, from Bebo to the “Beeb”, and Warners to Walt Disney. It has an active work programme and is in dialogue with the ICO. It will be interesting to see whether these private initiatives help to shape publicly available guidance.
It is over two years since the ICO published its issues paper on “Protecting children’s personal information” – it would be good to hear if the ICO’s thinking on “verifiable parental consent” has moved on in that time.
Datonomy hopes that the Online Age Verification Bill will help to re-ignite the public debate, and watches its progress with interest!

Leave a Reply

Your email address will not be published. Required fields are marked *