“In a world of connected toys, communications platforms and information services it is extremely difficult for parents and children to to make informed choices or exercise any control over the way services use children’s data. “Often the only choice in practice is to avoid online services altogether, which means the child loses the benefits of online play, interaction and development”
Quote: UK Information Commsissioner’s Office, ICO
In order to handle this, UK’s Information Commissioner Elizabeth Denham has launched a draft “Age Appropriate Design Code” that was out for consultation until May 31 becoming UK law.
Practical child protecting guidance for online services
The code provides practical guidance on how to design data protection safeguards into online services to ensure they are appropriate for use by and meet the development needs of children. This means that the providers of services will have to take responsibility for ensuring that their services are appropriate to the child’s age – and take into account and incorporate the key principle from The United Nations Convention on the Rights of the Child (UNCRC) that the best interests of the child should be a primary consideration in all actions concerning children.
Overall the Code “aims to respect the rights and duties of parents, and the child’s evolving capacity to make their own choices honing the fact that children have different needs at different ages”, and one of the benefits it is said of following the code is that it will make it easier to demonstrate compliance with the GDPR.
Who is the code aimed at?
The code is for providers of information society services (ISS). It applies to everyone that provide online products or services (including apps, programs, websites, games or community environments, and connected toys or devices with or without a screen) that process personal data and are likely to be accessed by children in the UK.
But – it is not only for services aimed at children. This code applies if children are likely to use the service. A child is defined in the UNCRC and for the purposes of the code as a person under 18. It also applies to services that aren’t specifically aimed or targeted at children but are nonetheless likely to be used by under 18s.
The code has to be taken into consideration if the service (or any element of it) is likely to appeal to, and therefore be accessed by, children, even if this is not the intent of the service. If it is likely to be accessed by children, then it will be covered by the code. If the service does not initially seem to be accessed by children, but evidence later emerges that a significant number of children are in fact accessing the service – even if they are only a small proportion of the overall user base – the service need to comply with the code.
UK versus non-UK online services
This code applies to online services based in the UK but it also applies to “online services based outside the UK that have a branch, office or other ‘establishment’ in the UK, and process personal data in the context of the activities of that establishment. It may apply to some other services based outside the UK even if they don’t have an establishment in the UK. If the relevant establishment is outside the European Economic Area (EEA), it still applies if the service is to users in the UK, or monitor the behaviour of users in the UK. The code applies if that service is likely to be accessed by children.
The 16 standards are summarized below:
- Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
- Age-appropriate application: Consider the age range of your audience and the needs of children of different ages. Apply the standards in this code to all users, unless you have robust age-verification mechanisms to distinguish adults from children.
- Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.
- Detrimental use of data: Do not use children’s personal data in ways that have been shown to be detrimental to their well-being, or that go against industry codes of practice, other regulatory provisions or Government advice.
- Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
- Default settings: Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
- Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
- Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
- Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to off at the end of each session.
- Parental controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.
- Profiling: Switch options which use profiling off by default (unless you can demonstrate a compelling reason for profiling, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
- Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data, weaken or turn off their privacy protections, or extend their use.
- Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable compliance with this code.
- Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
- Data protection impact assessments: Undertake a DPIA specifically to assess and mitigate risks to children who are likely to access your service, taking into account differing ages, capacities and development needs. Ensure that your DPIA builds in compliance with this code.
- Governance and accountability: Ensure you have policies and procedures in place which demonstrate how you comply with data protection obligations, including data protection training for all staff involved in the design and development of online services likely to be accessed by children. Ensure that your policies, procedures and terms of service demonstrate compliance with the provisions of this code.