Twitter has been suspending the accounts of users it believes were underage when they signed up for the popular social media service, causing widespread confusion and raising questions for other companies struggling to comply with new data-privacy laws.
The San Francisco-based company has so far been tight-lipped about what is driving the move. Officials did not immediately respond to a request for a comment.
But media reports in the Guardian and elsewhere highlighted examples of account suspensions that occurred on May 25, the day the European Union’s new General Data Protection Regulation, or GDPR, came into effect. Among the changes in that law is a new provision that tech companies processing the personal data of children (the age of whom may vary from 13 to 16, depending on the country) must obtain explicit consent from a parent or guardian.
The problem, it appears, is that some users may have created accounts when they were below the age of consent, without entering an age or date of birth—but then later entered such information into their profile, indicating to the company that the account was originally created by an underage user. (For a detailed back-and-forth on this dynamic, check out this Twitter conversation over the weekend, involving a number of K-12 privacy experts.)
Individual Twitter users are not going to face any legal or regulatory sanction for having created accounts when they were underage, said Linnette Attai, the founder of PlayWell LLC, which consults ed-tech companies, school districts, and other organizations on privacy.
And parents and educators should never encourage (or turn a blind eye to) young people lying about their age on social media, even if they might see a short-term benefit, such as not losing access to an account, Attai said.
Still, Twitter’s move to freeze accounts raises a number of questions, experts say.
Chief among them, it’s unclear what will happen to the content and data associated with those accounts. Will the company delete it? Will users have any recourse? When will any such processes become clear? For some users who have built significant followings, or who use Twitter for business or education, the answers to such questions could have major implications.
Some observers also wonder whether Twitter might have a COPPA problem on its hands. The federal law, formally known as the Children’s Online Privacy Protection Act, requires operators of online services to obtain parental consent before collecting any personal information on children under 13. Companies can be liable, with fines of more than $40,000 per violation, if they knowingly collected personal information from users who were under 13.
And then there’s the broader question of whether other ed-tech companies, if they learn via the process of becoming GDPR-compliant that they have users who created accounts when they were underage, may be forced to make similar hard decisions.
“It’s hard to extrapolate a larger lesson for other organizations from this, until we really understand exactly what Twitter is doing, and why, and whether they’re doing it properly,” Attai said.
“But if there is a lesson, it’s that transparency is critical. The more we know, the less this becomes a news story.”
- COPPA & Schools: The (Other) Federal Student Data Privacy Law, Explained
- Europe’s New Data-Privacy Law: What the GDPR Means for Ed-Tech Providers
A version of this news article first appeared in the Digital Education blog.