Age Appropriate Design Code - Are You Ready?

A brief reminder that there are six months left to comply with the Children’s Code and the ICO has issued an appeal for transparency champions.

Background

The Age Appropriate Design Code (Children's Code), which came into force on 2 September 2020 aims to help ensure that children’s privacy is protected online. The Children’s Code allowed for a 12 month transition period, meaning that organisations have until 2 September 2021 to ensure their compliance.

The Information Commissioner’s Office (ICO) recently undertook research into whether organisations are prepared and suggested that many are in the preparation phase. The initial findings were published on 2 March 2021, together with a reminder that there are only six months left to make changes to align your online services, operations and products with the Children’s Code. The full findings will be published in a few months’ time.

When does the Children’s Code apply?

The Children’s Code applies to “information society services likely to be accessed by children” in the UK. The ICO has noted that this includes many apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet.

This will have a significant impact on website design and organisations may need to make substantial design and operational changes to existing sites. Importantly, it is not restricted to services specifically directed at children but those used by children.

Standards of Age Appropriate Design

The standards are, in summary:

• Best interests of the child – website design and development should have the best interests of the child in mind.
• Data protection impact assessments – assess and mitigate risks to the rights and freedoms of children who are likely to access the service, which arise from data processing. Consider ages, capacities and development needs.
• Age appropriate application – risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Consider ways of establishing the age of the users or otherwise apply the standards to all users.
• Transparency –privacy information and any other terms you provide must be easy to read and understand for the appropriate age group. Consider policies and notices drafted specifically for children and provide additional specific ‘bite-sized’ explanations at the point of use of their personal data. The aim is for children to easily understand how, when and why services use their data.
• Detrimental use of data – do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
• Policies and community standards –uphold your own published terms, policies and community standards (e.g. age restrictions and content policies).
• Default settings –unless there is a compelling reason not to, website default settings must be ‘high privacy’ by design.
• Data minimisation –only collect and retain the minimum amount of personal data needed to provide the elements of the service used by children. Offer children choices over which elements they wish to activate.
• Data sharing – unless there is a compelling reason to do so, do not disclose children’s data.
• Location tracking turned off –unless there is a compelling reason not to, geolocation options should be off by default. Provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.
• Parental controls – give child age appropriate information about parental controls being used, where applicable. Provide an obvious sign to the child if and when they are being monitored.
• Profiling turned off –unless there is a compelling reason not to, options which use profiling should be off by default. Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (e.g. don’t feed content that is detrimental to their health or wellbeing).
• Nudge techniques – do not use techniques aimed at encouraging children to provide unnecessary personal data.
• Connected toys and devices –if you provide a connected toy or device ensure you include effective tools to enable conformance to the Children’s Code
• Online tools – provide prominent and accessible tools to help children exercise their data protection rights and report concerns.

Transparency Champions

In addition to the reminder issued about compliance, the ICO has also opened a consultation calling for organisations to become so-called transparency champions. The consultation is open to anyone who is committed to designing projects using privacy information in ways that are easy for children to engage with, or has ideas or examples of privacy designs that meet the Children’s Code transparency standard.

The ICO would “like to hear from online services, children’s rights advocates, designers, academics and anyone else working to deliver our vision to place the best interests of children at the heart of the online world” and invite participants to submit ideas before 23.00 pm on Friday 30 April 2021.

In addition to consulting the market, the ICO is using feedback from organisations and sector-specific events and discussions, to assess whether there are further requirements for tailored guidance and support, to supplement existing resources on the Children’s Code.

Ensuring Trust in Innovation

Elizabeth Denham (ICO) spoke at the Oxford Internet Institute on 3 March 2021 and two particular comments highlight the importance of organisations’ compliance with the Children’s Code and the transformative impact it is likely to have:

“The Code is an important piece of work in protecting children. In the coming decade, I believe children’s codes will be adopted by a great number of jurisdictions and we will look back and find it astonishing that there was ever a time that children did not have these mandated protections.”

“There is a more fundamental point here too: if we have a generation who grow up seeing digital services misuse their personal data, what does that do to their trust in innovation in the future?”

The Children's Code will be the first of its kind and is expected to become an international benchmark.