Children and data collection – the law must be changed


In the leading case, known as Gillick, the UK’s highest court had to determine when a child could make a decision for herself. By the same token the judgement also provided guidance about when third parties are obliged to obtain permission from a child’s parents or guardians before they can lawfully proceed with a transaction involving the child.

First point to note: Gillick started in the early 1980s. The internet was not mentioned and was not a factor. Nonetheless the decision and the reasoning behind it remain highly relevant to several issues which crop up in an online context.

Mrs Gillick had five daughters. The eldest was 13. Mrs Gillick was seeking a declaration that unless she had agreed to it doctors could not advise on or prescribe any form of contraception to her girls. The Court disagreed:

“As a matter of law the parental right to determine whether or not their minor child below the age of sixteen will have medical treatment terminates if and when the child achieves sufficient understanding and intelligence to understand fully what is proposed.”

  • Broad principle

The broad principle derived from Gillick has been extended well beyond medical cases. The settled view now seems to be, save where there is a statutory or common law exception, if a child has the necessary comprehension of the matter in hand he or she is legally capable of taking a decision entirely on their own.

  • It’s also a question of privacy

The right to make a decision on your own is closely tied to and shades into your right to privacy. In theory in the UK children acquire a right to privacy the moment they are born. The right is personal to them. It is not a contingent right or one that depends in any way on their parents or guardians. There is no lower or upper age limit attaching to it.

In practice, of course, there are very few things young children can decide entirely alone. They lack the capacity that Gillick said is essential. Their right to privacy is therefore circumscribed. Mum or Dad has to be involved. But as children get older and begin to understand more this changes. When someone reaches the age of majority it changes fundamentally and forever.

  • Age of majority

At the age of majority a person is normally able to decide anything and everything entirely for themselves. Parents fade away. Overnight. In the UK, in international law and in most countries the age of majority is 18.

As a matter of fact, or rather as a matter of law, in certain circumstances, whatever the person’s age, child or adult, they must always have been properly advised by lawyers or other appropriate professionals before taking particular types of decisions.

Also an individual must always truly consent. This means at the very least they have to be able to understand the proposition, whatever it might be. Generally this implies they have full or sufficient mental capacity and the matter has been properly or adequately explained to them beforehand.

  • Parents

However, into this tapestry of a child’s right to act autonomously and to have their privacy safeguarded, we must weave the legal responsibilities, the rights, of parents and guardians. In the main these are grounded in the common sense, every day realities of family life. But there can be clashes. For example, no matter how apparently mature a child might be parents and guardians still have a clear obligation to ensure their wards regularly attend school until the age of sixteen. This necessarily entails parents and guardians being told, having a right to be told, about their child’s truancy record, if there is one.

  • Back to Gillick – it all comes down to a subjective test

In ascertaining a legal minor’s ability to take a decision the test is a subjective one. Each child’s actual state of mind has to be determined case by case, individual by individual. For children in the UK there is no fixed or particular age which can be applied in all circumstances to all transactions. In other words whether a doctor is prescribing a young person the contraceptive pill, or someone else is selling them a bicycle, a bag of sweets or inviting them to join their social network the same obligation exists: the provider or vendor must satisfy himself or herself that the child properly understands what is going on.

I suspect that, certainly in the case of something like a social network, if the owner of the network took the view that the child did not understand the environment sufficiently, no amount of parental consent or intervention would mean the network could properly allow the child to remain a member.

Exactly the same concept was later picked up and is now enshrined in international law. Article 5 of the UN Charter on the Rights of the Child speaks of the need to have regard to the

“evolving capacities of the child”

  • Data protection principles

The data protection laws are also highly relevant to children. A key principle of those laws is that any data which is obtained from a data subject – that’s you and me or the child – must have been obtained fairly.

This is rather an elastic concept, but data definitely cannot have been obtained fairly if, for example, it takes advantage of a young person’s gullibility or inexperience. Everything hinges on the circumstances, the facts.

Yes, a web site’s privacy notice might appear to tick all the right legal boxes but the fundamental question remains. Is it really acceptable to collect personal data from children in this given context for that specific purpose? If it is not then there’s not much point answering any other or more detailed compliance questions. The data will have been obtained unlawfully. That spells trouble for whoever was responsible.

  • Useless on the internet

The need for a subjective assessment of each child’s level of understanding is very much rooted in real world experience and practices that were developed over many years. I endorse the idea unreservedly. For the real world.

But it is absolutely useless when it comes to the internet.

I do not know of a single company of any kind on any continent that has, in the online world, established a mechanism for carrying out subjective assessments of a person’s level of comprehension in relation to anything at all. Much less have they established such a thing as part of an in-line process geared to enabling them to make a decision about whether or not to engage with a particular individual who is asking the company to sell or supply them with a specific product or service.

What is more, even though I have almost boundless confidence in human ingenuity and believe we could solve almost any technological challenge if we put our minds to it, the operative word is almost. I find it hard to envision what any workable solution in this space would look like that could work at scale.

  • Ticking a box does not demonstrate understanding

Very many web sites flash up warnings or display pop ups at different parts of a particular process. Via a tick in the box they may ask for confirmation that you agree to this or that detail. They may even ask you to confirm that you have understood a particular point. But, duh, if the person filling in the online form hasn’t understood anything up to now how can you know they understood that question either? Probably a lawyer said to put the question in just to show you had thought about it. But I’m afraid assessing comprehension is a whole other kettle of bananas.

  • Spain and the USA

In some countries, for example Spain, they have in effect chosen to depart from the Gillick principle when it comes to cyberspace. Entirely sensibly in my view they concluded that it was simply unrealistic to expect companies that operate over the internet to be able to do individual, subjective assessments. They fixed an age limit of 14. In the USA, although for different reasons, they have in effect fixed the age at 13.

Above the age of 14 in Spain or 13 in the USA companies are not obliged to seek parental consent before accepting a minor as a member or user of an internet based service or before taking personal data from them. Below those ages they must.

Because of these laws the overwhelming majority of companies in the USA and Spain simply will not knowingly accept any children under the prescribed ages. They take this position because they just do not want to get involved in, as they see it, messy, expensive, time consuming and off-putting age verification processes.

  • Position in the UK

In the UK we remain purists. We have not fixed any age and we refuse to make any kind of distinction between the virtual world and the real world. Our laws are therefore a complete mess. They are totally unworkable.

I doubt we have arrived in this unenviable state as the result of a high level discussion which concluded that the status quo was OK. My guess is that inertia linked to limited resources are why we are where we are. Alternatively, and this amounts to the same thing really, someone had a quick look and decided to put it into the box marked

“Too Difficult”

  • Official guidance

In the Data Protection Guide issued by the Information Commissioner’s Office (ICO) it simply says

“Consent must…be appropriate to the age and capacity of the individual and to the particular circumstances of the case.”

In the Personal Information Online Code of Practice the ICO develops the point further

“Age and understanding

Assessing understanding, rather than merely determining age, is the key to ensuring that personal data about children is collected and used fairly. Some form of parental consent would normally be required before collecting personal data from children under 12. You will need to look at the appropriate form for obtaining consent based on any risk posed to the child. You may even decide to obtain parental consent for children aged over 12 where there is greater risk. This has to be determined on a case by case basis.”

  • So it’s 12 then?

By referring to the age of 12 in the way it appears in the text the ICO has, albeit not intentionally, established or implied that 12 is the UK’s minimum age. Period. However, note that there could be circumstances where even with children under 12 it may not always be necessary to obtain parental consent.

Spotify uses 12 as its minimum age in the UK. In the codes of practice of the UK’s Advertising Standards Authority and the Direct Marketing Association 12 is given as the minimum age for the collection of data without first obtaining clearance from a parent or guardian.

Referring to the fact that Spain, the USA and the UK have each pitched their tents close to one and other but not on the identical spot at a recent conference an ICO official almost suggested that where you draw the actual line is therefore more or less irrelevant. The onus was on parents to

“patrol their children’s use of the internet”

A moveable feast is one thing but two or three moveable feasts is something else.

  • Blame it on Cornflakes

Incidentally, the ICO can offer no clear explanation as to why 12 is the age. It seems to have been inherited from the original Data Protection Authority (DPA).

It is thought the DPA adopted 12 as a standard because……well that’s the thing. I could not find anyone who really knew. The best explanation I got was that it was based on some of the DPA’s employees’ experiences as parents.

In prehistoric times apparently children often used to cut a coupon from a cereal box, fill it in with minimal information about themselves then send it through the post to someone or other. In return they would be sent a plastic soldier or an animal. Historians still argue over what this signified. Was it religious in some way? Official records are unclear.

Though few people alive today can remember these possibly mythic rituals apparently there were very few complaints about anything untoward happening as a result of them so it was assumed 12 was probably fine.

  • Need for a modern research-based model

Is this leisurely model from another era truly appropriate for the age of rapid mouse clicks and permanence that has been ushered in by computers and internet? We need to do a proper analysis. I have a sneaking feeling any fresh assessment will point to somewhere above 12, perhaps nearer 16. Then we should copy the example of Spain and the USA and fix the minimum age at that level.

If an online company subsequently were to discover or be advised that someone who was above the new minimum age turned out nonetheless to have issues understanding what they were doing on their site then I think the company ought to be under an obligation to consider what remedial or other action they should take. My guess is they will simply terminate the account, but you never know.

  • No need to change the real world law

There is no suggestion that changing the law and practice for the purposes of the internet or other remote environments need have any impact at all or require any alteration to the current law applicable in any situation where the child is visible to and in the presence of the vendor of a product, is seeing their doctor or anything similar. In those real world instances the existing laws and rules should continue to apply exactly as they do now.

  • A bridge too far?

The Article 29 Working Party is the EU-wide gathering of Data Protection and Information Commissioners. In June 2009 they issued an opinion on the operation of social networking sites. There was a section in it about children and minors.  They did not suggest the EU should try to establish a single EU-wide minimum age for data collection purposes.

Maybe in an ideal world every country would have the same age of consent for everything, including data collection. It would certainly make things a lot neater. Rather annoyingly, however, homo sapiens seems cussedly determined to hang on to its self evident imperfections and far from neat ways.

Matters of this kind are very culturally specific. Probably they really should be left to each nation to determine according to their own lights. You can see single-market type arguments for one age across the whole EU but the arguments against might be as strong or stronger.

The Working Party was, however, very clear on one thing although I have no idea if they have followed up on it in any way in the intervening 18 months:

“The Working Party encourages further research on how to address the difficulties surrounding adequate age verification and proof of informed consent……..”

Quite so and very welcome but, as they already worked out in Spain and the USA, people will continue to flounder if they do not have at least one fixed point in the firmament. 

  • Must abandon an unhelpful fiction

Thus, just because it might be hard, impossible or undesirable to get a shiny new, sensible EU-wide policy that is no reason to leave things as they are in the UK.

We must end the uncertainty and abandon the current unhelpful fiction that the law is working in any sense satisfactorily. It is not. In truth it provides a refuge for scoundrels and does nothing to help or reassure the companies who really do want to conform to the highest and best standards.

This still leaves open the question of what steps we expect web sites to take to determine whether or not children are telling the truth about their age but that is, as they say, a different story.

PS Note to self: at some point we should discuss the question of the age of criminal responsibility. In England and Wales this is set at 10. That is barbaric.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s