TikTok has turned off notifications for children past bedtime, Instagram has disabled targeted adverts for under-18s entirely and YouTube has turned off autoplay for teen users: moves seemingly triggered by Britain introducing a new set of regulations aimed at protecting children online.
On Thursday the UK introduced a new set of regulations aimed at protecting children and at a stroke became a global leader in the field, with the prospect of multimillion-dollar fines for companies that breach its new “age appropriate design code” leading to a cascade of last-minute changes across some of Silicon Valley’s largest players.
Rather than applying the changes just to the UK, as they would be legally required to, TikTok, Instagram and YouTube have made the changes global.
That proves, said Beeban Kidron, the crossbench peer who introduced the code into law, that a mid-sized country such as Britain can have a meaningful effect on the global internet. “If one code can create societal change,” she said, “then actually, what it means is they’re not exempt. This tech exceptionalism that has defined the last decade – ‘we are different’ – just disappears in a puff of smoke.”
It ought to be something the government, which has been outspoken about its desire to make the UK the “safest place in the world to be online”, is championing from the rooftops. But instead, the code came into effect with little fanfare or attention, except from those deep in the world of child safety regulation – which is exactly how it passed into law in the first place.
The code was introduced as an amendment to the data protection act 2018, a technical piece of legislation intended mostly to implement GDPR into UK law. The act crept through the Commons without incident, thanks to Theresa May’s small majority, but in the House of Lords received myriad amendments, from little to large.
Typically, a government with a Commons majority can fairly easily bat away such alterations. But Kidron’s formidable personal lobbying caught the eye of the DCMS ministers, particularly Margot James, then minister for digital. “Within half an hour, she had persuaded me of the importance of the code that she had amended the bill to incorporate, and I thought it made a lot of sense,” James said.
“It wasn’t government policy,” she adds, “at least, before Lady Kidron burst on to the scene it wasn’t government policy.”
Kidron’s one-line amendment gave little detail on what the age-appropriate design code should be, other than simply requiring the information commissioner to create one in the first place. But, combined with a government push to increase the powers of the ICO, the end result has been transformative.
Unless they can prove their service is not likely to be used at all by children, companies now face a choice: they must make their entire offering compatible with the code, or attempt to identify younger users and treat them with care. The code prohibits the use of “nudge” techniques aimed at encouraging children to give up more of their privacy than they would otherwise choose, calls on companies to minimise the data they collect about children and requires them to offer children privacy options that default to the maximum security.
For such wide-ranging requirements, many expected fearsome lobbying from the tech industry against the code, but instead, the opposite has happened: not only have the world’s largest companies made substantial changes to their products in the weeks before the code would force them too, they’ve actively denied that they were doing so under duress – instead claiming that the changes were what they wanted to do all along.
A Google spokesperson said its updates extended beyond any single current or upcoming regulation, for instance, while a Facebook spokesperson said its update “wasn’t based on any specific regulation”.
Other companies have yet to introduce any specific changes at all. Twitter, for instance, declined to answer questions about how it had approached complying with the code, and for many critics the social network, which applies little scrutiny to users’ ages beyond a request to enter a self-declared birth date on sign-up, is one of the key targets for action.
But the next steps are in the hands of the Information Commissioner’s Office. Although the code took legal effect on 2 September, it’s the ICO that decides when, and whether, to levy fines for breaches. Elle Todd, a partner at law firm Reed Smith, said she expected the office to take its responsibility seriously: “We wholly expect that the ICO will be following up with tech companies and others to see what changes have actually been made now or are made over the coming months.”
“However, one of the most interesting questions around engagement and the AADC concerns not the regulators but children and teens themselves. Teens are tech savvy and reluctant to be treated differently, so it remains to be seen how much of an impact filters and nudges towards positive behaviour can make.”
For Kidron, the success of the code’s passage is in the past. Her attentions now lie on the government’s true flagship internet regulation, the online safety bill. “I work with a lot of children, both here in the UK and internationally. And the thing that has absolutely sideswiped me is that in over 23 countries and more than 1,000 children, they all agree about what digital world they want.
“It’s less important that they’re in Rwanda or Kenya or Virginia, US, or Berlin, or London, because they’re all using the same services designed the same way and having the same experience. How this technology is designed is curating the experience of childhood. And I don’t think people have understood that.”