Age Appropriate Design Code will come into force September 2nd 2020, and will be ushered in by a 12-month transition period allowing online services time to conform.
The Age Appropriate Design Code which we had initially reported on back in January when the final version of this code was first introduced, has now completed the parliamentary process, and was recently issued by the ICO to come into force on 2nd September 2020. This code of to practice for online services finalised 15 standards laid in Parliament in January of this year. Under section 123 (1) of the Data Protection Act 2018, the Information Commissioner was required to prepare this code which contains guidance on what is considered appropriate on standards of age appropriate design of relevant information society services, which are likely to be accessed by children.
The Age Appropriate Design Code is a statutory code of practice, providing built in protection for children online.
This code is the first of its kind, is considered, by the Information Commissioner, necessary and achievable, and is expected to make a difference. The Commissioner believes that companies will want to conform with the standards, to demonstrate their commitment to always acting in the best interests of the child. This code, although not expected to replace parental control, should increase confidence in the safety of children, as they surf the internet. The 15 principles of this code are flexible, and are not laws, but rather a statutory code of practice which provides built in protection for children spending time online, ensuring that their best interests are the primary consideration when developing and designing online services.
The Code lays out 15 Standards, ensuring children’s best interest.
- The best interests of the child;
The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
- Data protection impact assessments;
Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, which arise from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code.
- Age appropriate application;
Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.
The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.
- Detrimental use of data;
Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
- Policies and community standards;
Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
- Default settings;
Settings must be ‘high privacy’ by default (unless you can demonstrate a convincing reason for a different default setting, taking account of the best interests of the child).
- Data minimisation;
Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
- Data sharing;
Do not disclose children’s data unless you can demonstrate a convincing reason to do so, taking account of the best interests of the child.
Geolocation options should be off by default (unless you can demonstrate a convincing reason for geolocation to be switched on by default, taking account of the best interests of the child). Provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.
- Parental controls;
If you provide parental controls, the child should be given age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, you should provide an obvious sign to the child when they are being monitored.
Switch all options which use profiling ‘off’ by default (unless you can demonstrate a convincing reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if there are appropriate measures in place to protect the child from any harmful effects (particularly, content that is detrimental to their health or wellbeing).
- Nudge techniques
There should be no use of nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
- Connected toys and devices
If your company provides a connected toy or device, you should ensure that you include effective tools to enable conformance to this code.
- Online tools.
Provide prominent and accessible tools which will help children exercise their data protection rights and report concerns.
The code will apply to any product or service likely to be accessed by children, and not just those aimed at children.
The standards laid out in this code applies to any company or institution providing products or services (including apps, programmes, websites, games or community environments, and connected toys or devices with or without a screen) not just aimed at children, but likely to be accessed by children, and which process personal data in the UK. Due to increasing concern about the position of children in the modern digital world and in the wider society, the general consensus in the UK and internationally is that more needs to be done to create a safe space for them to learn, explore, and play online. The purpose of this code is not to protect children from the digital world but to protect them within that space. The code takes account of the standards and principles set out in the UNCRC, and sets out specific protections for children’s personal data in compliance with the GDPR.
This code, which comes into effect next month, must support children’s rights.
This code is due to come into effect on September 2nd, 2020 as announced by the ICO this week. That date will begin the 12 month transitionary period, during which companies are expected to take steps towards full compliance, ensuring that all principles are considered and that their services use children’s data in ways that support the following rights of the child;
- Freedom of expression.
- Freedom of thought, conscience and religion.
- Freedom of association.
- Access information from the media (with appropriate protection from information and material injurious to their well-being).
- Play and engage in recreational activities appropriate to their age.
- Protection from economic, sexual or other forms of exploitation.
Failure to conform to these standards could result in assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). As a result, data protection impact assessments are suggested to ensure compliance.