An age-appropriate code of practice for online services has just been published by the Information Commissioner’s Office. Children are being ‘datafied’ says the Information Commissioner, as she publishes the final version of the code.
The Information Commissioner’s Office has published its final Age Appropriate Design Code. The code comprises a set of 15 standards that online services should meet to protect children’s privacy. The code is the first of its kind, but similar reform is being considered in the USA and in Europe and the code anticipates what the Information Commissioner calls ‘the global direction of travel’.
In her foreword, the Information Commissioner recognises that data now sits at the heart of the digital services children use every day and that as a young person opens an app, plays a game or loads a website, data is gathered about who they are, how they use the service, on what device they are accessing it and where in the world they are. That information may then be used to persuade young people to spend more time using services, to shape the content they are encouraged to engage with and to tailor the advertisements they see. She recognises that, although the digital economy can offer benefits for children and young people, it cannot yet be considered a safe space for them to learn, explore and play. The age appropriate design code looks to change that by requiring providers to put the best interests of children first when they are designing apps, games and websites likely to be accessed by children.
In a nutshell
The code requires children’s best interests to be a primary consideration when designing and developing online services. Digital services will have to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website. This means that:
- privacy settings should be set to high by default
- nudge techniques should not be used to encourage children to weaken their settings
- location settings should also be switched off by default
- data collection and sharing should be minimised
- profiling that can allow children to be served up targeted content should be switched off by default.
The ICO expects the code to be fully in effect by autumn 2021.
In more detail
The Code is not a new law but it sets standards and explains how the General Data Protection Regulation applies in the context of children using digital services. The code is a set of 15 flexible standards. It is not aiming to protect children from the digital world but to protect them within it – so that they can explore, learn and play more safely online.
The 15 standards comprising the Code require the following things of service providers whose services are likely to be accessed by children.
Best interests of the child: the best interests of the child should be a primary consideration when designing and developing online services likely to be accessed by a child.
Data protection impact assessments: make sure an assessment is made of the risks to the rights and freedoms of children who are likely to access a service, which arise from the data processing and ensure they are mitigated. Take into account differing ages, capacities and development needs and ensure that the assessment process builds in compliance with the code.
Age appropriate application: take a risk-based approach to recognising the age of individual users and ensure the standards in the code are effectively applied to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from the data processing, or apply the standards in the code to all users instead.
Transparency: the privacy information provided to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how personal data is used at the point that use is activated.
Detrimental use of data: do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or government advice.
Policies and community standards: uphold published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
Default settings: settings must be ‘high privacy’ by default (unless an online service provider can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
Data minimisation: collect and retain only the minimum amount of personal data needed need to provide the elements of the service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
Data sharing: do not disclose children’s data unless a compelling reason to do so can be demonstrated, taking account of the best interests of the child.
Geolocation: switch geolocation options off by default (unless there is a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). Provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.
Parental controls: if parental controls are provided, give the child age appropriate information about this. If an online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.
Profiling: switch options which use profiling ‘off’ by default (unless there is a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if there are appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
Nudge techniques: do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
Connected toys and devices: if a connected toy or device is provided, ensure effective tools are provided to enable conformity with the code.
Online tools: provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
So what happens now?
The next step will be a period of action and preparation. The ICO submitted the code to the Secretary of State in November 2019. The Secretary of State will now need to lay the code before Parliament for its approval as soon as is reasonably practicable. The code then provides a transition period of 12 months, which will give organisations a year to update their practices before the code comes into full effect.
The ICO expects the code to come into full effect by autumn 2021. In the meantime, the ICO will engage with organisations to help them understand the code and prepare for its implementation. The ICO warns that those companies that do not make the required changes risk regulatory action.