Today is going to be the day that you read a lot about the UK’s intention to kill cookie pop-ups as part of its post-Brexit Data Reform Bill. By now you should have somehow realised that there’s a bit more to it than that, and that your work is not set to get any easier.
So settle in for 3,000 words or so explaining what’s ahead for you, and the way you build things, here in the sunlit uplands.
The news you’re hearing today is not the draft Bill itself, but the press campaign around the release of the response to government’s consultation on “Data: A New Direction” from last Autumn. You’re probably not up for reading that on a Friday, though, so you can read any number of news stories summarising the planned changes, like this one from Bloomberg:
A planned Data Reform Bill will cut “burdens on businesses to deliver around £1 billion ($1.23 billion) in cost savings” over ten years, the Department for Digital, Culture, Media and Sport said in a statement summarizing the legislation Thursday.
The announcement criticized the EU’s “highly complex” General Data Protection Regulation and promised a “clampdown on bureaucracy, red tape and pointless paperwork” to “seize the benefits of Brexit.”
Small British businesses will no longer be required to have a data protection officer and fill out “lengthy impact assessments.” Internet users will be given the option to opt-out rather than needing to opt-in for the collection of cookies — which track users around the internet. The government said the change will cut down on “the irritating boxes users currently see on every website”.
The government will also be able to exert more control over the country’s data watchdog, the Information Commissioner’s Office. Culture Secretary Nadine Dorries will have to approve its statutory codes and guidance before they are presented to Parliament.
A DCMS spokeswoman didn’t immediately respond to a request for comment on maintaining a “data adequacy” arrangement.
The first thing that jumped out at me in the announcement was the c-word. The headline in the official DCMS press release was “New data laws to boost British business, protect consumers, and seize the benefits of Brexit.” It turns out the blog post I wrote on Monday, where I discussed how government is shifting its language from describing us as people with data rights to consumers with contracts, was spot on. You’ll understand if I’m not gloating.
As with any government announcement in 2022, the press release had a lot of red meat for pensioners (“fines for firms hounding people with nuisance calls!”) as well as for the red tops (“a clampdown on bureaucracy, red tape, and pointless paperwork” to “seize the benefits of Brexit!”).
But outside of that low-hanging fruit, the the only area of this announcement which will receive any sort of attention outside the tech press is the intention to get rid of cookie pop-ups.
Yes, those. As we’ve known for a good while now, and as the announcement states, the Data Reform Bill will shift the responsibility for consent popups from service providers to browsers.
(You need to stay with this narrative for a while, because that isn’t as technically simple as it sounds.)
So, aye. Yay. No more popups! Yay! Everyone hates them! I do! You do! Everyone does!
But. And it’s a big but.
I need you to keep reading the fine print, in that government announcement.
And I need you to keep reading the fine print in other government announcements on tech and digital.
Because the pop-ups are just getting started.
Say that again?
You cannot read this press release, and consider the legislative overhaul planned for the Data Reform Bill, in a policy bubble. You have to look at it in the context of the bigger picture, and that picture is the Online Safety Bill.
And wait until you hear about those pop-ups.
I have been trying to write a post about your compliance obligations, as well as the staggering compliance costs being placed onto you, which businesses – and not just Big Tech, that means you too – will be facing under the Online Safety Bill. It’s taking me forever to write it, because the requirements are that insanely complicated, trying to keep them straight is that nigh impossible, and the sheer technical dystopia of it all of it sends me outside into the garden to breathe some fresh air – and that’s said as someone whose professional life has been consumed by this Bill for three years.
For the purposes of today’s announcement, though, I’m going to tease out just one aspect of those compliance obligations, and those compliance costs.
So if you work in any sort of tech or digital related role, and the work you put into the world can be viewed, or accessed, by anyone of any age in the UK, and you are (rightfully) celebrating the loss of the cookie popups, I need you to do me a favour and drop the balloons and party streamers and sit down.
Pop-ups, but British ones.
Preamble: you’ll be aware that the UK’s Online Safety Bill has been promoted as a piece of big tech/social media legislation, but it is not. It will impact any company or project of any size, nature, location, or business model which has user-generated content on it or allows humans to interact with other humans. So if your site, service or app is anything other than a promotional portfolio web 1.0 site, or a blog like this here blog that only allows comments, you’re in scope. If you weren’t aware of that, you are now. Enough of the preamble, let’s amble.
As it has been drafted, the Online Safety Bill will require all services plying their trade online – no matter what they do, no matter where they’re located, no matter how small they are, no matter what they’re trying to put right in the world – to know the ages of all their visitors or users, in order to determine which of the users are children, in order to determine whether or not the service must be made “child-safe” per the Bill’s other requirements.
As it has been drafted, the Bill states that the only way a service can know for certain that children are not accessing it, is if that service is checking everybody’s IDs at the door:
A provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if there are systems or processes in place (for example, age verification, or another means of age assurance) that achieve the result that children are not normally able to access the service or that part of it.
In that way, the Bill almost ingeniously does not mandate age verification for content screening and filtering purposes, but rather requires it as an administrative compliance obligation.
(Wonks: you’ll find this all in the draft Bill, Part 3 Chapter 2 Clause 11).
The expectation is that any service in scope, e.g. you, would install a third-party age verification or age assurance system, chosen from a specific list of providers whom DCMS has supported to get off the ground. (It goes without saying that these provisions of the Online Safety Bill are the result of aggressive corporate lobbying by the age verification sector, whom Boris Johnson’s government is enthusiastically supporting as a post-Brexit UK tech success story. That their business model, which imposes privatised surveillance obligations onto all service providers in the UK, also serves this government’s objectives, e.g. Priti Patel & co., is a convenient side benefit. But you knew that too.)
The use of third-party age verification systems is intended to ensure that the service provider, e.g. you running your site there, never sees nor accesses the personal data – meaning the identities – of the people accessing your service. The fact remains, however, that age verification is still being mandated onto you, and that your users will hold you – not the third party provider – responsible for the hassle.
So how’s this going to work? The simplest way to explain this is that it’s going to be like cookie popups, mandated onto every site and service, at the point of page load, regardless of any subsequent interaction with the service. Except that instead of asking you to confirm your choices, it’s going to be asking you to confirm your identity.
No passport? No driving license? No credit card? No internet for you. Digital exclusion a go-go.
(Mind, the Bill’s drafters haven’t thought that far down the road yet. Unless, given this government, they have thought that far down the road yet, and know exactly what they’re doing by requiring identity verification in exchange for internet access.)
But they do have an alternative in mind for how users can verify their ages if they don’t have an official form of ID at hand.
You see, service providers – meaning you – will also be encouraged to use what is called “age assurance”, which is a means of estimating or determining your age without the use of some form of official government- or bank-issued documentation. At the moment, the leading idea in the field is the use of the webcam to measure the head of the person sitting in front of the screen. AI then does the job of determining whether those measurements correspond with those of a child. You may recognise this practice from what the Victorians called it: phrenology.
I need not tell you what other kinds of people, and what voices of 20th century history who float over my shoulders every day, are really into the concept of measuring people’s heads to make legally binding judgements about the worthiness of their character.
But for the slow VCs at the back who do need to be told:
Concluding, Dr. @Abebab notes, "It took Nazi-era atrocities, forced sterilizations… for phrenology, eugenics, and other pseudosciences to be relegated from science’s mainstream to its fringe. It should not take mass injustice for Cheap AI to be recognised as similarly harmful." pic.twitter.com/FcSxWIPWrG
— Eileen Clancy (@clancynewyork) June 11, 2022
(And you may ask yourself, how did I get here? Have we really gone from a referendum on bendy bananas to deploying phrenology onto the British internet? Yes. Yes we have.)
Regardless of whether you choose to deploy a third-party age verification provider, which hoovers up your visitors’ passport and credit card data, or a third-party age assurance solution, which hoovers up your visitors’ cranial measurements (particularly if they are undesirable ethnic minorities), in order to meet your imminent compliance obligations under the Online Safety Bill:
your compliance costs will be staggering.
The industry body representing those groups (e.g.: cha-ching! Make it rain) has estimated the cost of age checks, to service providers like you, to be 10p per age check.
10p does not sound like a lot, until you think about your traffic on a good day. 10p then becomes 10p in every £1 of income – not profit, income – just to meet that compliance obligation.
That’s an outlay on par with salaries or rent or heating.
And keep in mind that the UK also envisions this Bill to be extraterritorial, meaning that businesses outside the UK will be expected to comply with it – meaning age-gate their visitors – as well. How that’s going to work in their own domestic privacy contexts is one question; why they’re going to spend that money on the likes of you is another.
There are many other compliance obligations, and costs, under this Bill, alone, including the fee you’ll be required to pay Ofcom for the privilege of being regulated by them, as well as the costs of the screening and monitoring utilities you’ll need to install. But, as I said, that’s a separate blog post, coming another day.
(And by the way, if you’re working on a decentralised project, as I am currently doing, and are trying to figure out how anyone installing a service or node is expected to age-check people, lest they get screamed at that they’re failing to meet their “duty of care” to protect Britain’s children, your guess is as good as mine.)
So that, dear readers, is a very brief introduction to the world of popups after popups which you will be expected to help to build. Or else.
Call that a lot of whataboutery, if you like. I suppose it is.
But if I were you, I’d be more worried about the fact that whataboutery is pretty much the only retort we have to the erosion of our rights to privacy, and our freedom of expression too, which are being packaged as a post-Brexit opportunity.
Are you still with me?
Good. Because we’ve covered just one area – the big headline-grabbing shouty one – of today’s consultation announcement.
There are others.
But to make that much shorter and simpler for you:
The UK is planning to remove cookie pop-ups for UK people, of which there are 80 million, while service operators will still have to use them for European people, of which there are half a billion.
The UK is also planning to legislate to remove the EU-derived requirement for the Data Protection Officer, as the person responsible for safeguarding an organisation’s users’ privacy rights, while simultaneously demanding under the OSB that companies appoint named individuals who are subject to personal arrests and criminal sanctions for failing to prevent bad things from happening on the internet.
The UK is also planning to legislate to remove what it feels are unnecessary EU-derived burdens on small businesses and startups, such as “the need to undertake lengthy impact assessments”, while simultaneously imposing over two dozen compliance requirements under the OSB onto every small business and startup, including no fewer than six impact assessments, all predicated on the ghastly assumption that you are deliberately harming children.
The UK is also planning to legislate to require companies to have a privacy management programme to ensure they are accountable for how they process domestic personal data, based on…erm…whatever rules they make up and mark their own homework with, I guess? While those same companies will still be required to maintain higher standards and better accountability for their European users, thereby actually creating more work with less accountability, while creating a two-tier system of optimal and sub-optimal privacy rights based on nationality.
The UK is also planning to create £1 billion in business savings for businesses over ten years through the compliance reforms in the Data Reform Bill, while simultaneously requiring tech businesses to directly repurpose that money towards their OSB compliance requirements, which won’t just include age checks; they will also include the technology required for you to meet the general monitoring obligation over legal content.
The UK is also planning to
(Oh, and good luck
shouting at asking browser manufacturers to deal with the UK’s mandatory age-checking regime at the browser-setting level too.)
And finally, the UK is also planning to ensure the independence of the privacy regulator by requiring the regulator’s statutory codes and guidance to be politically approved by the Secretary of State, who is, of course a political appointee, and who is, of course, currently Nadine Dorries. But regardless of who occupies the role today or tomorrow, granting them political authority over regulatory guidance seems to me like the exact opposite of regulatory independence.
And given the powers that same Secretary of State will have, under the Online Safety Bill, to define and constrain the limits of your free, legal, and subjective speech, it’s worth imagining – in the most horrible way – what it might be like for you and for me and for the people you care for when she is also allowed, under the Data Reform Bill, to define and constrain the limits of your personal privacy.
So hooray. Yes. We’re getting rid of horrible European pop-ups.
So that we can replace them with horrible British pop-ups.
We’re getting rid of European risk assessment bureaucracy.
So that we can replace it with British risk assessment bureaucracy.
We’re getting rid of Eurocrats who don’t understand the internet.
So that we can replace them with politicians who think the internet is ten years old.
And we’re getting rid of European-derived privacy rights.
So that we can replace them with UK-inspired privacy erosions.
And the saddest thing of all is that this country is currently so consumed with bitterness and spite and hatred that a lot of people out there will have considered everything I’ve said above and they’ll still be thinking:
Postscript: how the sausage gets made
Whenever I discuss the OSB and age verification with policy colleagues from outside the UK, I have to stop and explain things very slowly, two or three times, until I see the look on their face that signals that they “get it”.
I have to do that because in their professional experience, age verification is only ever invoked in discussions around what we might call explicit adult content: pornography, alcohol, tobacco, and firearms. So that’s what they assume this discussion is about, here, in the UK. They don’t realise, until I explain it to them, that the UK legislative discussion is not just about preventing children from accessing those four kinds of content. It’s about mandating age verification for anything and everything, for every user, of every age, in front of access to all topics, all subjects, all sites, all service providers, all opinions, and all content. The whole public open web. Everything.
If you’re explaining this to someone who’s good at their job, they will immediately comprehend how this regime (e.g. identity verification packaged as age verification packaged as child safety, imposed over all content on all topics, again packaged as child safety) could be abused, in their own domestic political contexts, for matters which have nothing to do with children or online safety.
I would love for one of those people to draft some musings about how the UK hasn’t just corrupted the term “age-appropriate“; it’s over-egged the “world-leading” “child safety” aspects of the Online Safety Bill in ways which have handed a gift to states seeking new tools to crack down on public discourse.
But that should be another topic for another day.
Header image by me: platinum jubilee shortbread, because sometimes the visual symbolism presents itself