The ICO have now published their final version of their Age Appropriate Design Code of Practice for Online Services. The Code is a statutory one in the sense the ICO are obliged by law to produce it. In terms of enforcement action, the ICO could use the Code against any applicable service, if they do not follow it, as failure to follow the Code means the service is unable to demonstrate their compliance if they’re not following best practice.
However, the Code still needs to be approved by Parliament and judging by the ICO’s blog post about the Code, they’re not expecting that to happen till later this year. There will be a 12 month implementation period by which services are expected to apply the Code to their service (which the ICO says means it’s likely services will need to be compliant with the Code by Autumn 2021).
Here’s a summary of the relevant bits, although the full code can be found here:
- Relevant services covered by the Code include any online service used by or likely to be used by children which results in the processing of their data. This includes online services like websites, apps, messaging services, social media, etc.
- A child is defined as a person under 18
- Applies to all services based in the UK, and to non-UK services who have a branch or office in the UK or if the non-UK service is targeted to UK children
- The Code applies to existing services as well as new ones
- The Code includes 15 “standards of age appropriate design”. These standards should be built into the service provision:
- The service should be processing data with the best interests of the child, meaning “supporting the child’s need for safety, health, wellbeing, family relationships, physical, psychological and emotional development, identity, freedom of expression, privacy and agency to form their own views and have them heard”. To achieve this the service must consider how the processing of personal data keeps the child safe from exploitation, protects and supports their health and wellbeing, their physical and psychological development, their need to develop their own identity and views. The service should also support the needs of children with disabilities, support the needs in parents supporting their child in protecting their best interest.
- A DPIA must be carried out which assesses and considers the mitigation of risks to children from the use of the service
- Take a risk based approach to recognising the age of the user so the service can identify whether a user is a child or not
- Be open and transparent about the processing of the data. So, this means that privacy policies, published terms and community standards must be “prominent, and in clear language suited to the age of the child” and provide “‘bite sized’ explanations about how personal data is used, at the point that use is activated. In practice this means services will need to provide clear privacy information, provide additional snippets of information when personal data is being used (e.g. to explain the implications of providing the data and confirming they are OK with it), provide clear terms of service and policies all provided in a way that a child would understand (the ICO provide some guidance on what is appropriate for what age ranges)
- Don’t process a child’s personal data in a way that is “detrimental to their wellbeing” or go against best practice or other legislative requirements. Of particular relevance will be best practice around marketing to children for example
- Services must uphold their policies and procedures for the service, or in other words, if they say a user will/won’t do something or if they have terms about unacceptable behaviour they will need to be able to show they enforce these
- Any settings must be “high privacy” by default to protect the privacy of the child by default unless the child opts to change these settings themselves
- “Collect and retain only the minimum amount of personal data you need” and give the child options over which elements of data they wish to provide at specific points (e.g. don’t ask for everything if some of the data you require will only be needed if the child chooses to use a part of the service that requires specific data at that point)
- Don’t share children’s data unless there is a compelling reason to do so
- Switch geolocation options off by default and be clear to the child if location tracking is active
- If the service provides parental controls (i.e. so a parent can place limits on a child’s activity) give the child age-appropriate information about this and make sure the child is made aware if the parent is able to track their location or can be monitored
- Any profiling options should be off by default and only profile if appropriate measures are in place to protect the child from any “harmful” outcomes from the profiling
- Do not use “nudge techniques” to encourage children to provide unnecessary data or turn off privacy protections
- If the service is a connected toy or device make sure they adhere to the Code
- Provide tools to help children exercise their rights (e.g. access, rectification, erasure, etc.)
- Service providers will be expected to put systems in place to support and demonstrate their adherence with the Code standards
In practice the Code applies a lot of common GDPR practices when a child’s data is being processed, so a lot of what is required should be being done anyway.
Whilst the Code has yet to be ratified by Parliament, you would be best placed to start getting a plan in place to ensure you meet the requirements of the Code as I suspect it’s unlikely it will change much between now and Parliament reviewing it.