Following a public consultation on its draft code of practice with parents, children, schools, children's campaign groups, developers, tech and gaming companies and online service providers which closed on 31 May 2019, the Information Commissioner's Office (ICO) submitted its Age-appropriate design Code of Practice on 12 November 2019 but due to restrictions in the pre-election period it was not permitted to be published until 23 January 2020.
The purpose of the Code?
The Code aims to address the increasing concern both in the UK and
internationally about children's safety and exploitation of
their data online and is designed to allow them to explore safely
within the digital environment. The Code specifies which data
protection safeguards need to be built into the design of online
services to ensure they are appropriate for use by children and
also to help meet children's developmental needs. It is
envisaged that as well as demonstrating compliance with current
data protection laws, online service providers who follow the code
will demonstrate to parents and other users of their services that
they take children's privacy seriously; that they can be
trusted with children's data and that their services are
appropriate for children.
Who the Code applies to:
The Code applies to providers of information society services and
providers of online products or services including apps,
programmes, websites, games or community environments, as well as
connected toys or devices (either with or without a screen) that
process personal data and that are likely to be accessed by
children in the UK.
Legal Status of the Code:
The Code is not a new law but is a statutory code of practice
required under Section 123 of the Data Protection Act (DPA)
2018.
The Code was submitted to the Secretary of State on 12 November
2019 and must complete a statutory process before it can be laid
before Parliament. It will become law 40 days after being laid
before Parliament in accordance with Section 125 of the DPA
2018.
There will then be a 12 month transition period to allow providers
to implement the necessary changes from the date the code takes
effect following the Parliamentary approval process. The ICO
expects that this will expire in Autumn 2021.
Consequences of non-compliance:
Conformity with the Code will be used as a key measure of
compliance with data protection obligations under the General Data
Protection Regulation (GDPR), the DPA and the Privacy and
Electronic Communications Regulations (PECR). This measure of
compliance will be specifically taken into account when considering
questions of fairness, lawfulness,
transparency and accountability under the GDPR as
well as when the ICO are considering enforcement measures.
The ICO have warned that if an online service provider does not
conform to the code it will be difficult to demonstrate compliance
with the law, which in turn is likely to trigger regulatory
enforcement.
The Provisions of the Code:
The Code is a set of 15 design standards which focus on high
privacy, child-friendly, default privacy settings with no data
sharing and minimisation of data collection and use by default for
all online providers whose services are likely to be accessed by
children. The standards are non-prescriptive but are designed to
ensure built-in protection for children when they are exploring,
learning and playing online.
The 15 Standards of the Code:
1. Best interests of the child – this is a
primary consideration when designing and developing online services
likely to be accessed by a child;
2. Data Protection Impact Assessments (DPIAs)
– these are to be undertaken to assess and mitigate risks
which arise from data processing to the rights and freedoms of
children who are likely to access services.
3. Age appropriate application of the code –
taking a risk-based approach, online service providers should
either establish age with a level of certainty that is appropriate
to the risks to the rights and freedoms of children that arise from
their data processing, or apply the standards of the code to all
users instead.
4. Transparency – the privacy information
provided to users, and other published terms, policies and
community standards, is required to be concise, prominent and in
clear language suited to the age of the child. Additional
bite-sized explanations about how the service provider uses
personal data needs to be provided at the point that use is
activated.
5. Detrimental Use of Data – children's
personal data must not be used in ways that have been shown to be
harmful to their wellbeing, or that go against industry codes of
practice or other regulatory provisions or Government advice.
6. Policies and Community Standards –
service providers are to uphold their own published terms, policies
and community standards (including but not limited to privacy
policies, age restriction, behaviour rules and content
policies).
7. Default settings – settings must be
'high privacy' by default, unless the service provider can
demonstrate a compelling reason for a different default setting,
taking into account the best interests of the child.
8. Data minimisation – service providers are
to collect and retain only the minimum amount of personal data
required to provide the elements of their service in which a child
is actively and knowingly engaged.
9. Data sharing – children's data is not
to be disclosed to third parties unless a compelling reason to do
so can be demonstrated, taking account of the best interests of the
child.
10. Geolocation – geolocation options are
required to be switched off by default unless there is a compelling
reason for them to be switched on by default, taking into account
the best interests of the child. There should also be a sign that
is obvious to the child when the geo-tracking is switched on.
Options which make a child's location visible to others are
also required to revert to 'off'' mode automatically at
the end of each session.
11. Parental controls – the child needs to
be provided with age appropriate information if there are parental
controls. If the online service provides a facility for a parent or
carer to monitor their activity online or track their location
there needs to be an obvious sign to the child to show when
monitoring is taking place.
12. Profiling – any profiling options should
be switched to off by default unless there are compelling reasons
for profiling to be on by default, taking into account the best
interests of the child. Profiling should only be permitted if there
are sufficient measures in place to protect the child from harm (in
particular, supplied content that is detrimental to their
well-being).
13. Nudge techniques – techniques that lead
or encourage children to give unnecessary personal data or
encourage them to switch off their privacy protections should not
be used.
14. Connected toys and devices – connected
toys or devices should include effective tools to enable
conformance with the code.
15. Online tools – tools should be provided
to help children exercise their data protection rights and to allow
them to report concerns. These tools should be displayed
prominently and be readily accessible.
Providers will need to be able to demonstrate that they conform to these standards which are also cumulative and interlinked. Service providers will therefore be required to implement them all, to the extent they are relevant to their service.
Action Required:
To ensure compliance with the new Code and avoid potential legal
action or enforcement by the regulator, owners and developers of
online services aimed at children or where children form a
proportion of their users, will need to do a thorough audit of all
their websites, apps, on-line games, toys and other devices
(whether with or without screens) and any other on-line services by
using DPIAs to check anywhere they may not align with the new Code
and change their privacy default settings where necessary. Given
that the 12 month transition period once the Code comes into full
effect is relatively short, and that the ICO estimates that the
Code will be in full effect by Autumn 2021, this audit process
should be embarked on by those to whom the Code will apply as a
priority.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.