Age appropriate design

Age Appropriate Design Overview

Expected to come into effect by December 2019, the UK’s Age Appropriate Design Code will be the first of its kind and will have major implications for online services.

Statistically speaking it is estimated that by the time a child is 18 there will be 70000 data points about them. With everything we know about the potential to identify an individual through their online data trail; the fact that at present there is a failure by most online services to offer age appropriate data protection to children is highly disconcerting.

In response to these alarming trends, earlier this year the ICO launched and held public consultation on its draft Age Appropriate Design Code.  While the code has yet to be laid before parliament, it is expected to come into effect before the end of the year.

In an April 2019 statement UK Information Commissioner Elizabeth Denham  said there is a need to balance the protection of people online while embracing the opportunities of digital innovation.

When it comes to children, thats more important than ever. In an age when children learn how to use a tablet before they can ride a bike, making sure they have the freedom to play, learn and explore in the digital world is of paramount importance. The answer is not to protect children from the digital world, but to protect them within it,” said Denham.

The UKs Age Appropriate Design Code provides practical guidance on how to design data protection safeguards into online services to ensure they are appropriate for use by and meet the development needs of children.  It outlines and details the following 16 standards on age-appropriate design for online services likely to be accessed by children:

1. Best interests of the child
2. Age-appropriate application
3. Transparency
4. Detrimental use of data
5. Policies and community standards
6. Default settings
7. Data minimisation
8. Data sharing
9. Geolocation
10. Parental controls
11. Profiling
12. Nudge techniques
13. Connected toys and devices
14. Online tools
15. Data protection impact assessments
16. Governance and accountability.

Who is this code for?

The ICO notes that the code applies to online products or services (including apps, programs, websites, games or community environments, and connected toys or devices with or without a screen) that process personal data and are likely to be accessed by children in the UK.  It is not only for services aimed at children.

It should be noted that several recitals and articles in the GDPR cover the requirements for the processing of children’s data. When it comes to the offering of an Information Society Service (ISS) directly to a child, one should consider that in the UK, only children aged 13 or over are able provide their own consent when this is the legitimate basis the controller relies on. For children under this age the controller needs to get consent from the holder of parental responsibility, unless the ISS is an online preventive or counselling service. In addition, when a service or product likely to be accessed by children is provided, the following apply: the need to set up a clear and age-appropriate privacy notices, the prohibition of using their data for automated decision-making and the suitability of carrying out a DPIA. Specific age policies should be put in place for managing and addressing the processing of children data, both when the product or service provided are aimed at children and when they are not.

Does your company offer online services likely to be accessed by minors? If so, it will be imperative that you adhere to the UK Data Protection Code once it is effected. Aphaia’s data protection impact assessments and Data Protection Officer outsourcing will assist you with ensuring compliance.

Reference: 5Rights Foundation 



CCPA vs GDPR. In this blog we take a look at similarities and differences between the CCPA and the GDPR. 

It has been a year and a half since the GDPR started to apply. Did you think you were done adapting all your data processes to the Regulation? Don’t miss this post! You might still have a lot of work to do with the new California Consumer Privacy Act (CCPA).

The CCPA was enacted in 2018 and it will be effective from January 1, 2020. It is the first law in the US to provide the consumers with privacy rights. Businesses collecting, selling or disclosing California residents personal information might be subject to the CCPA requirements.

At this stage you may be wondering if the CCPA is the ‘Californian GDPR’. Don’t panic! We have prepared this blog to let you answer that question yourself. Aphaia has gone through the CCPA and the GDPR thoroughly in order to identify the most relevant similarities and differences between them and we have put together our findings in the lines below.

Who is obliged to comply with the CCPA?

While the GDPR applies to “controllers” regardless of their nature or their activity, the CCPA requirements only apply to for-profit entities (“businesses”) that:

are for-profit;
collect consumers’ personal information, or on the behalf of which such information is collected;
determine the purposes and means of the processing of consumers’ personal information;
do business in California; and
meets any of the following thresholds:
has annual gross revenue in excess of $25 million;
alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
derives 50% or more of its annual revenues from selling consumers’ personal information.

The CCPA also applies to any entity that controls or is controlled by the business.

Are there territorial limits?

The CCPA applies to organisations that do business in California and, similar to the GDPR, even though it is not explicitly mentioned, it also seems to be applicable to those ones established outside of California if they collect, sell or disclose California consumers personal information while conducting business in California.

Who has rights under the CCPA?

The GDPR covers the privacy rights of ‘data subjects’, who are defined as “an identified or identifiable natural person”, whereas the CCPA protects ‘consumers’,understood as natural persons who are California residents.

Which processes involving data fall under the CCPA?

Whilst the GDPR refer the ‘processing’ of personal data, the CCPA specifically includes ‘collecting’ and ‘sharing’ personal data.

It is important to note that ‘collecting’ covers “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means” and ‘selling’ comprises “renting, disclosing, releasing, disseminating, making available transferring, or otherwise communicating personal information for monetary or other valuable consideration”. It should be stressed that ‘selling’ does not necessarily involve a payment to be made in exchange for personal information.

What rights does the CCPA provide the consumers with?

Similar to the GDPR, the CCPA provides consumers with new rights, including a right to transparency about data collection, a right to be forgotten, and a right to opt out of having their data sold, which becomes opt in for minors.That said, Californian consumers have the following rights:

The right to know whether their personal information is being collected about them.
The right to request the specific categories of information a business collects upon verifiable request.
The right to know what personal information is being collected about them, the categories of sources form which the information is collected, the business purposes for collecting or selling the information and the categories of third parties with which the information is shared.
The right to say “no” to the sale of personal information.
The right to delete their personal information.
The right to equal service and price, even if they exercise their privacy rights.

It is clear that the CCPA will have large implications for businesses in California (and all around the world!) as it is the strictest privacy law ever enacted in the US. However, with appropriate help, organisations will be able to manage the requirements and implement them step by step as happened with the GDPR almost two years ago.

Do you require assistance with CCPA compliance? Aphaia provides both GDPR and CCPA adaptation services, including data protection impact assessments and Data Protection Officer outsourcing.

Apple data sharing

Apple faces scrutiny for data sharing practices

Apple accused of potential improper data-sharing.

Earlier this month American multinational technology company Apple came under scrutiny for its data-sharing practice of sending IP addresses from users of its Safari browser to Google and Chinese-based tech company Tencent.

Apple has since defended this practice, noting that it is a Safari Fraudulent Warning security feature aimed at flagging websites known to be malicious. In an interview with iMore, Apple reportedly noted that When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never sharedwith a safe browsing provider and the feature can be turned off.

It is of note that Apples Fraudulent Website Warning setting is automatically set to on. As such users would have to delve into their settings and toggle this off if they do not want to have their IP address forwarded to Google and Tencent when using the Safari browser. It is also reported that toggling this setting to offwould potentially render browsing sessions less secure.

Potential GDPR and CCPA implications?

Considering that IP addresses can reveal user locations and can also be used to profile users,they are deemed as online identifiers, thus they are personal data as covered by Recital 30 GDPR, which means that this feature would be subject to GDPR compliance.

The recent Cookies Consent ruling by the CJEU, explored in one of our recent blog posts could also potentially affect the way Apple handles its default permission settings.

Moreover, with the California Consumer Privacy Act Regulations (CCPA Regulations)schedule to take effect on January 1, 2020introducing  consumer rights related third party sharing for companies doing business with California residents; it is likely that Apple would also have to review this practice to ensure CCPA compliance.

This practice was explained in the privacy policy within the section “About Safari & Privacy” and it was publicly accessible to anyone who opened the Settings app. However, one should note that even though the privacy policy shall contain every personal data processing carried out by the controller for the sake of transparency and in line with articles 13 and 14 GDPR, it does not mean that any data processing added to the privacy policy will automatically become lawful, for which a valid legal basis for the processing (contract, consent or legitimate interest among others) is required.

Does your company website facilitate data sharing to third parties? Aphaia’s  GDPR and CCPA adaptation services, including our  data protection impact assessments and Data Protection Officer outsourcing will help you ensure compliance with the soon to be effected CCPA Regulations and GDPR.

Reference: iMore

CCPA Regulations

CCPA Regulations Overview

CCPA Regulations, the Californian GDPR? California Attorney General releases draftRegulations under the California Consumer Privacy Act.

You think Data Privacy and Data Protection and it’s more than likely that the GDPR or the UK Data Protection Act 2018 will come to mind. This is because over the last few years significant strides have been made within the European Union and the United Kingdom as it relates to privacy rights in the todays highly connected technological era. Yet while it seemed that regulations and restrictions were more centered towards the European countries, the recent introduction of the CCPA Regulation by California Attorney General Xavier Becerra will undoubtedly usher in privacy changes for the US and any company doing business with California citizens.

What is CCPA?

According to Office of the Attorney General California the California Consumer Privacy Act (CCPA), creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.”

As a result of the CCPA California-based consumers will now have the following rights:

  •  the right to request that a business that collects a consumers personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
  •  the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
  •  the right to request that a business that collects personal information about the consumer disclose to the consumer information related to the categories of personal information collected, the source of the information, the use of the information and, if the information was disclosed or sold to third parties.
  •  the right to request that a business that sells the consumers personal information, or that discloses it for a business purpose, disclose to that consumer
  • the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumers personal information. This right may be referred to as the right to opt-out.

While the CCPA was enacted in 2018, Aphaia’s Managing Director Bostjan Makarovic explained that it needed regulations from the attorney general in order to function properly. Last week these much anticipated regulations were issued by the California AG.

CCPA Regulations Overview:

Known as the California Consumer Privacy Act Regulations these regulations govern compliance with the CCPA and violation of the regulations shall constitute a violation of the CCPA.

The following guidelines and requirements are detailed in the CCPA Regulations;

Notice to consumers
Business Practices for Handling Consumer Requests
Verification of Requests
Special Rules Regarding Minors

The regulations are expected to come into effect on January 1, 2020.

Will the CCPA affect Europe and UK-based companies?

Aphaia’s Managing Partner Bostjan says: “In a way similar to GDPR, CCPA is not only relevant for businesses based in the jurisdiction but also to any business that process (collect, sell, disclose) personal information from California resident consumers.”

Do you require assistance with CCPA compliance? Aphaia provides both GDPR and CCPA adaptation services, including data protection impact assessments and Data Protection Officer outsourcing.