The UK Information Commissioner’s Office (ICO) issued a consultation on a draft code of practice for designing age-appropriate access for children accessing online products and services provided by information society services (ISS). The consultation closes on 31 May 2019. The draft code sets out principles for any online service accessed by children under the age of 18.
Best interests of the child at the core
This code of practice is based on the key principle in the United Nations Convention on the Rights of the Child that the best interests of the child should be a primary consideration in all actions concerning children. In the context of today’s myriad of online services, it has become increasingly difficult for both parents and children to make informed choices or exercise control over the way services use children’s personal data. The code aims to respect the rights and duties of the parents but also the children’s evolving capacity to make their own choices.
16 headline ‘standards of age-appropriate design’
The code requires ISS providers to abide by 16 cumulative standards when processing personal data of children through their services:
- Best interests of the child: The best interests of the child should be a primary consideration when designing and developing online services likely to be accessed by a child.
- Age-appropriate application: ISS providers should be mindful of the age range of their audience and the needs of children of different ages. Unless they have reliable age-verification mechanisms in place, the standards need to be applied to all users.
- Transparency: All terms, policies, community standards and privacy information provided to users must be in clear and concise language so as to be appropriate to the age of the child.
- Detrimental use of data: Children’s personal data should not be used in ways which are detrimental to their well-being or which are contrary to codes of practice, regulations or governmental advice.
- Policies and community standards: ISS providers should maintain published terms, policies and community standards.
- Default settings: Settings should be set as ‘high privacy’ by default (unless a compelling reason considering the best interests of the child applies).
- Data minimisation: ISS providers should collect and retain only the minimum amount of personal data needed to deliver the service that the child engages in.
- Data sharing: Children’s personal data should not be disclosed (unless a compelling reason considering the best interests of the child applies).
- Geolocation: Geolocation options should be switched off by default, and a clear sign for children should appear whenever location tracking is active.
- Parental controls: Children should be informed or shown via an obvious sign whenever the service allows parents to monitor their online activity or track their location.
- Profiling: Profiling options should be switched off by default or otherwise allowed only if appropriate measures are implemented to protect children from harmful effects.
- Nudge techniques: Nudge techniques encouraging children to provide unnecessary data or turn off their privacy protections should not be used.
- Connected toys and devices: ISS providers that offer connected toys or devices should ensure that all of their tools are compliant with this code.
- Online tools: Children should be given visible access to tools helping them exercise their data protection rights and report concerns.
- Data protection impact assessments (DPIAs): DPIAs should be conducted, especially when there is a need to assess and mitigate risks to children likely to access relevant services.
- Governance and accountability: As a catch-all, appropriate policies and procedures to comply with this code should be in place, and data protection training should be given to staff involved in developing services accessible to children.
ISS businesses should not overlook the implications of this code of practice. They should comply with the standards, not only to prove that they take children’s privacy seriously, but also as a key measure of compliance with data protection laws. ICO has made it clear that ISS businesses must show that their processing of personal data is fair and in compliance with the UK data protection regime, as set out in the GDPR, the Privacy and Electronic Communications Regulations and the Data Protection Act 2018. Abiding to this code will show just that and will protect against potential ICO enforcement actions.