UK Data Protection Regulators Launch Investigation on Online Child Endangerment

Photo of Child Working on Laptop

The past few years have been a tumultuous period regarding the regulation of data related to children. Several incidents resulting in the breach of children’s data privacy standards have plagued the tech industry. Specifically, this relates to the storage, collection, processing, and compliance surrounding children’s personal information online. As a result, major tech companies like Tik Tok and YouTube have been a constant part of these investigations. The recent testimony by Facebook Whistleblower Frances Haugen only consolidates the case for strong online data protection policies relating to the young global demographic.

The latest developments include a recent correspondence on November 17th, 2021 between the 5Rights Foundation and the UK ICO (Information Commissioner’s Office.) The correspondence confirms new investigations are underway that are probing approximately 50 tech companies’ improper conduct with regards to the Age Appropriate Design ‘statutory code of practice.’ The latest information suggests that Google and Apple are among those being currently probed.

5Rights, UK ICO, And The Age Appropriate Design Code

Because of the hazards that social media poses to children, well-established legislation like the COPPA and foundations like 5Rights now exist to scrutinize how the digital design of products and services puts children at risk. 5Rights, “takes the existing rights of children and young people (under 18), and articulates them for the digital world.” In addition to charities like 5Rights and its many signatories including UNICEF and the NSPCC, official government bodies like the UK ICO are highly involved, having instated a 15-step code called “Age Appropriate Design“, which was passed on the 2nd of September, 2021.

According to the UK ICO (, Age Appropriate Design is, “the first of its kind, but it reflects the global direction of travel with similar reform being considered in the USA, Europe and globally by the Organisation for Economic Co-operation and Development (OECD).”

5Rights Letter to the UK ICO Reveals Substantial Investigation

Correspondence between the Founder and Chair of 5Rights Baroness Kidron, and the commissioner of UK ICO Elizabeth Denham dated October 8th and November 17th, 2021 respectively involves the topic of, “systemic breaches of the Age Appropriate Design Code (Children’s code).” The initial correspondence sent by 5Rights to the UK ICO stated that 5Rights conducted research in July and August 2021,  “testing products and services to identify gaps in compliance with the standards set out in the Code.” The research reflected in the “Summary of systemic breaches” section of the letter underlines the insufficient compliance of the tech industry to the code.

In the reply sent from UK ICO to 5Rights, UK ICO commissioner Denham wrote that UK ICO is, “conducting an evidence gathering process to identify conformance with the code, and thus compliance with the underlying data protection law.” Denham also wrote that UK ICO is concentrating on intervening on, “operators of online services where there is information which indicates potential poor compliance with privacy requirements, and where there is a high risk of potential harm to children.”

With the new research from 5Rights in hand, the UK ICO’s current focus is on, “social media and messaging; gaming; video content and music streaming” because “specific cases of non-conformance against thematic areas of concern” were found.

5Rights’ Summary of Systemic Breaches

5Rights have outlined a Summary of Systemic Breaches in their letter to the UK ICO that included the following points;

  1. Insufficient age assurance
  2. The minimum ages of use for games and apps are mis-advertised on app stores
  3. Use of data creates content, conduct, and contact risks
  4. Failure to enforce community standards
  5. Use of dark patterns and nudges
  6. Age-appropriate financial pressures
  7. Low default privacy settings
  8. Excessive data sharing with third parties
  9. Lack of transparency and excessive data sharing between services and third-party login providers
  10. Published terms are not age-appropriate
  11. Insufficient tools to exercise data rights
  12. Connected devices

UK ICO Will be Proceeding With ‘Steps’ in 2022

The correspondence confirms that UK ICO has contacted 40 organizations that operate in high-risk sectors, and is in the process of contacting 9 more. UK ICO stated that they have already “written to 40 organizations across the three sectors” and that they hope to receive responses from, “all organizations by the end of December.” At this time, a full list of those in question has not been publicly disclosed.

The UK ICO revealed a rough time frame for tech companies and corporations to comply with the new Code, “Our regulatory options will be based on that careful understanding and as such, I expect that we will progress to next steps in spring 2022.” In addition, Baroness Kidron has confirmed that she will be submitting formal complaints if companies and corporations do not comply with the ICO’s warnings.

Apple and Google Have Been Mentioned

Among the long list of tech companies and corporations that are under scrutiny are tech giants Apple and Google which have been marked by 5Rights as having breached points 2 and 9 of the Summary of Systemic Breaches. In the correspondence, the UK ICO confirmed that they have contacted both corporations about app age ratings “to enquire about the extent to which the risks associated with the processing of personal data are a factor when determining the age rating for an app.”

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at, while in his free time he likes to work on documentary projects, read about sociology and write about world events.