Expected to come into effect by December 2019, the UK’s Age Appropriate Design Code will be the first of its kind and will have major implications for online services.
Statistically speaking it is estimated that by the time a child is 18 there will be 70000 data points about them. With everything we know about the potential to identify an individual through their online data trail; the fact that at present there is a failure by most online services to offer age appropriate data protection to children is highly disconcerting.
In response to these alarming trends, earlier this year the ICO launched and held public consultation on its draft Age Appropriate Design Code. While the code has yet to be laid before parliament, it is expected to come into effect before the end of the year.
In an April 2019 statement UK Information Commissioner Elizabeth Denham said there is a need to balance the protection of people online while embracing the opportunities of digital innovation.
“When it comes to children, that’s more important than ever. In an age when children learn how to use a tablet before they can ride a bike, making sure they have the freedom to play, learn and explore in the digital world is of paramount importance. The answer is not to protect children from the digital world, but to protect them within it,” said Denham.
The UK’s Age Appropriate Design Code provides practical guidance on how to design data protection safeguards into online services to ensure they are appropriate for use by and meet the development needs of children. It outlines and details the following 16 standards on age-appropriate design for online services likely to be accessed by children:
Who is this code for?
The ICO notes that the code applies to online products or services (including apps, programs, websites, games or community environments, and connected toys or devices with or without a screen) that process personal data and are likely to be accessed by children in the UK. It is not only for services aimed at children.
It should be noted that several recitals and articles in the GDPR cover the requirements for the processing of children’s data. When it comes to the offering of an Information Society Service (ISS) directly to a child, one should consider that in the UK, only children aged 13 or over are able provide their own consent when this is the legitimate basis the controller relies on. For children under this age the controller needs to get consent from the holder of parental responsibility, unless the ISS is an online preventive or counselling service. In addition, when a service or product likely to be accessed by children is provided, the following apply: the need to set up a clear and age-appropriate privacy notices, the prohibition of using their data for automated decision-making and the suitability of carrying out a DPIA. Specific age policies should be put in place for managing and addressing the processing of children data, both when the product or service provided are aimed at children and when they are not.
Does your company offer online services likely to be accessed by minors? If so, it will be imperative that you adhere to the UK Data Protection Code once it is effected. Aphaia’s data protection impact assessments and Data Protection Officer outsourcing will assist you with ensuring compliance.
Reference: 5Rights Foundation