Regulating the online world is a huge challenge, particularly when it comes to protecting children. For its part, the Information Commissioner’s Office (ICO) prepared a draft code of practice for online services that are likely to be accessed by children. A consultation was held and the ICO will now draft a final version to be approved by Parliament. It is expected to come into effect by the end of 2019.
The code will apply to online services provided for remuneration, as well as not-for-profit services or those funded by advertising. This will cover most online services, including apps, websites, social media platforms and content streaming services.
The focus of the code is whether a service is likely to be accessed by children under 18, making its application extremely wide-reaching. It is not restricted to services specifically directed at children, and includes those that appeal to children (including those directed at adults).
There are 16 standards of age appropriate design, all of which must be met to demonstrate compliance with data protection laws when processing children’s personal data.
The standards are:
Best interests of the child
This should be the primary consideration when online services are designed and developed.
The needs of children at different ages and stages of development should be at the heart of how your service is designed.
In practice, you will need to put in place robust age verification mechanisms or apply the same standards to all users by default.
The privacy information you provide should be concise, prominent and use clear language suited to the age of the child. This could include diagrams, video and audio content.
Detrimental use of data
Personal data of children should not be used in ways that would be detrimental to their wellbeing or go against industry codes of practice, other regulatory provisions or Government advice.
Policies and community standards
You should uphold your own terms, policies and community standards (including privacy policies, age restriction, behaviour rules and content policies).
By default, settings for children must be ‘high privacy’.
The collection and retention of children’s personal data should be kept to a minimum, and this should only be for each element of your service the child chooses to use.
Personal data of children should not be disclosed to any third parties.
By default, the geolocation for a child should be switched off.
When a child’s geolocation is active, this must be clearly signposted to the child.
You should give age appropriate information about any parental controls, and should clearly tell children if a parent / guardian has the ability to monitor their online activity or track their location.
Profiling is the use of personal data to analyse certain aspects or traits.
All such profiling should be switched off by default for children.
Children should not be encouraged to provide unnecessary personal data, decrease their level of privacy protection or prolong their use of your service.
Nudges towards pro-privacy actions may be appropriate.
Connected toys and devices
If you provide a toy or device which collects personal data and transmits it via the internet, you will need to ensure that you include effective tools to enable compliance with the code.
Children should be provided with easy access to age appropriate and easy to use tools to enable them to exercise their data protection rights and report any concerns they may have.
Data protection impact assessments (DPIAs)
You should undertake DPIAs specifically to assess the risks to children and to consider how to mitigate any such risks.
Governance and accountability
You should ensure policies and procedures are in place to demonstrate compliance with your data protection obligations and the code. This should include data protection training for all staff involved in the design and development of online services likely to be accessed by children.
All compelling reasons to act against any of the above standards will need to take into account the best interests of the child. A valid compelling reason will most likely relate to safeguarding and welfare.
Compliance will be monitored through audits. The ICO will consider complaints and take action to enforce the code. If you do not comply with it, you will find it difficult to demonstrate that your processing is fair and complies with the GDPR or Privacy and Electronic Communications Regulations. The ICO has the power to take action for breaches, such as issue warnings, reprimands, stop-now orders and fines.