Age Gating

Nowhere in the world have age verification obligations been imposed on online services like in India’s data protection law. Requiring users to prove their identity before the link they have clicked on can open will break the internet. Requiring children to get parental consent is not necessarily a good thing as parents often have a lesser understanding of privacy risk than their children who are digital natives. Instead we should hold platforms accountable for harms caused to children.

This article was first published in The Mint. You can read the original at this link.

While most of the provisions of India’s upcoming personal data protection statute have been thoroughly dissected, the provision dealing with how children’s personal data must be processed hasn’t really received the attention it deserves. The draft law requires data fiduciaries to verify the age of children and seek the consent of a parent or guardian before processing their data. While it is reasonable to impose additional obligations on the processing of children’s data, the age verification requirement that has been proposed will upend internet usage.

Age Gating

Certain activities have always been considered inappropriate for children. Since parents can’t be everywhere all the time, society took it upon itself to set up mechanisms to protect them. When children go to see a movie, for example, gatekeepers at the theatre make sure they don’t get into halls that are screening films that are not age appropriate. If they try sneaking into a bar, these establishments are required by law to ensure kids below the legal age do not enter.

It is this concept of age-gating that India’s personal data protection bill is attempting to apply to the collection of personal data from children. Unfortunately, unlike in a nightclub, where a bouncer at the door can eyeball a patron and quickly assess whether or not he or she is old enough to enter, there is no easy way for an online service to assess which of its users are underage and which are not. In order to comply with India’s new law, all internet platforms will have to put in place age verification mechanisms to check the identity of all their users.

No law anywhere in the world has attempted to impose such a broad and strict age verification obligation on online services, largely because doing so would impair the internet experience. Hypertext is designed to let users hop from one page to another by clicking on the links they come across. If you have to prove your identity before the link you click on can open, it will literally destroy the internet as we know it.

The Blind Leading the Blind

But even if we set aside this extreme requirement for a moment, I am not sure that entrusting the online privacy of our children to the ability of their parents to make correct decisions on their behalf really serves the purpose. Regular readers of this column will know that I am sceptical about our over-reliance on consent. Nobody really reads the privacy policies that they sign up to, and even if they do, the inter-connected intricacies of modern data practices make it impossible for anyone to fully comprehend the privacy consequences of everything that they agree to. As I have pointed out before:

Today, consent is a formality—a step we blindly take when we sign up to new services. We agree to terms and conditions as acts of faith, trusting that the service providers we’ve signed up with will not let us down. Even if we want to be mindful about what we are committing to, we feel a sense of futility in even attempting to understand these terms as we have no scope to negotiate any provisions we might find unacceptable.

If this is what happens when adults sign on to a service for themselves, relying on them to safeguard their children’s privacy is rather like asking the blind to lead the blind. In an earlier article I referred to a study that showed how dangerous this could actually be for children:

A study by the University of Michigan has revealed that as many as 56% of the parents surveyed shared potentially embarrassing information about their children online while 51% shared information that could lead to potentially identifying the location of the child.

If anything, today’s children are true digital natives. In just the last year, for example, with so much of education and social interaction going online, the reason most children have managed to weather the lockdown so well is precisely because of how digitally savvy they are. Even though we may not fully appreciate it, our children have been navigating the digital world for years, and they can do so far better than most of their parents ever will. They probably already have a far better understanding of the dangers of the online world than their parents do.

The First Line of Defence

This is not to say that children are born with an innate grasp of the perils of the digital world. There is no doubt that our young are vulnerable to predators and that their minds are susceptible to being shaped by unwanted influences. Personal data collected from them can and often will be used to target them and entice them to products are services that are just not good for them. Parents cannot shy away from their responsibility to appropriately chaperone children whenever they are online. That said, once they have grown old enough, at least in the opinion of their parents, to use the internet unsupervised, they should no longer be subjected to the requirement of parental consent that the Indian law seeks to impose.

In most countries, once children cross the age of 13, they are allowed greater freedom online. In most instances, this is also, on average the age at which kids receive their first phone—a further indication that they are old enough to have the independence and bear the responsibility that owning their own digital device entails. One would think that at least at this age they can be expected to better appreciate the implications of their actions for their personal privacy. Yet, for reasons that escape me, India has eschewed this global norm and decided that parents need to continue to approve data collection on behalf of their children till they turn 18 years old.

Accountability

We would be far better off if we extend the principle of accountability to the protection of children’s online privacy. Instead of imposing age verification obligations on them, we could have held internet companies accountable for the harms their algorithms might cause children, effectively forcing them to take all steps necessary to ensure that they do not, even by accident, cause harm to a child. If the consequences for failing to do so are harsh enough, they will of their own accord take steps to ensure that their ad engines are calibrated to stop serving ads to children, and that services running on their platforms no longer ask them for personal data.

Most importantly, by forsaking a misguided form of age-gating, we will keep the internet free.