The Information Commissioner’s Office is risking a new backlash from privacy groups by claiming it only has “limited resources” to investigate breaches of the new Age Appropriate Design Code, seemingly making enforcement action highly unlikely for years.
The admission comes in an ICO response to a letter from digital child safety charity the 5Rights Foundation, which conducted research over the summer among leading tech companies to investigate compliance with the code.
The charity claims it found 12 “systemic” breaches, including insufficient age assurance; mis-advertisement of minimum ages for games on app stores; the use of dark patterns and nudges; data-driven recommendations that create risks for children; a routine failure to enforce community standards; and low default privacy settings.
But in what has been seen purely as an attempt to grab headlines, the ICO says it is writing to almost 50 organisations across the three tech sectors it considers highest risk for kids — social media/messaging; gaming; and video/music streaming — “to determine their standards of conformance individually”.
These companies, which include Apple and Google, are being quizzed on how they assess apps to determine the age ratings they apply. However, the full list remains under wraps, with neither the ICO nor the 5Rights Foundation naming names.
When the code was first aired – back in January 2020 – Information Commissioner Elizabeth Denham insisted that “children’s privacy must not be traded in the chase for profit”, although she appears in no great rush to act on the 5Rights Foundation investigation.
She says her office is conducting an “evidence gathering process to identify conformance with the code, and thus compliance with the underlying data protection law”.
Denham added: “In this process, the ICO is taking a systemic approach; we are focusing our interventions on operators of online services where there is information which indicates potential poor compliance with privacy requirements, and where there is a high risk of potential harm to children.”
Even so, Denham suggests a timeline of next spring before the ICO probe makes any decision. “In terms of timescales, we need to take the time to understand what the information gathered is telling us systemically and individually. Our regulatory options will be based on that careful understanding and as such I expect that we will progress to next steps in spring 2022.”
Observers have suggested the ICO is taking a “softly, softly” approach to encourage improvements from the tech industry, including stakeholder roundtable events, similar to its controversial approach to the adtech industry.
That probe dates back to June 2109, when the regulator published a damning report into real-time bidding, insisting the “immature” understanding of data protection is triggering the mass unlawful use of consumer data, leaving millions of users at risk of potential harm.
Some 30 months later and there has still been no action, much to the annoyance of privacy campaigners.
Meanwhile, Denham’s letter to 5Rights Foundation contains numerous with caveats and qualifications, insisting the code seeks to drive “proportionate protections that enhance society’s engagement with the digital world”, suggesting a pragmatic approach to compliance.
Despite the ICO being the biggest regulator in Europe, with a budget of more than £50m and a staff of nearly 800, Denham also cautioned: “I hope you will recognise that as a regulator, the ICO will always face tough choices on how to deploy our limited resources. As such, this is why our initial focus is on those cases of greatest potential harm with non-conformance across multiple standards.”
Tough new laws aim to protect kids from online harm
Government urged to tighten up data laws for children
Targeted ads use ‘illegal surveillance’, lawmakers told
War on ‘illegal’ adtech RTB heads to the German courts
ICO gunning for data brokers as adtech probe resumes
DMA wades into ICO row over axed adtech investigation
Adtech breach widens, two years after first complaints
$273bn behavioural ad industry ‘is in breach of GDPR’