On 21 January 2020, the UK’s data protection watchdog, the Information Commissioner's Office, published a set of design standards for Internet services, which are intended to help protect the privacy and safety of children online. The code sets out the standards expected of those responsible for designing, developing or providing online services such as applications, connected toys and devices, programs, social media platforms, messaging services, games, websites and streaming services. It covers services likely to be accessed by children and which process their data. It is however not restricted to services specifically directed at children.
This new code was introduced pursuant to the UK Data Protection Act 2018, and is intended to provide a set of 15 standards that online services should follow to protect children’s privacy. The code will apply to organizations that offer “relevant” information society services that are “likely” to be used by children. The code is not intended to a binding statement of the law, but lays out how to interpret the GDPR's requirements in relation to children. The ICO further stated that since data relating to children is afforded special protection in the GDPR and is a regulatory priority for the ICO, conforming to the standards set out in the code will be deemed a key measure of compliance with data protection laws. Accordingly, even though many of the standards laid out in the code are based on the principles laid out in the GDPR, some go further than the GDPR.
The code sets out 15 standards of age appropriate design reflecting a risk-based approach. The focus is on providing default settings that ensures that children have the best possible access to online services whilst minimizing data collection and use, by default.
The 15 standards laid out by the code are as follows:
Best interests of the child
According to the code, the best interests of the child should be a primary consideration when designing and developing online services likely to be accessed by a child. The code states that this does not exclude the possibility for an organization to pursue its own commercial or other interests. Instead, it simply means that organizations should account for the best interests of the child as a primary consideration where any conflict arises. This standard could be read to go beyond the requirements of the GDPR, since it appears to include a positive obligation to consider how an organization's use of personal data you can keep children safe from exploitation risks and protect their health and well-being.
Data protection impact assessments (DPIA)
According to the code, firms should undertake a DPIA to “assess and mitigate risks to the rights and freedoms of children” who are likely to access the service, which may arise from the data processing. The DPIA should take into account differing ages, capacities and development needs. As a reminder, DPIAs are a key part of the accountability obligations under the GDPR, facilitate a ‘data protection by design’ approach and are an effective way to assess and document compliance with data protection obligations.
A “risk-based approach to recognizing the age of individual users” should be taken. This should either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from the data processing, or apply the standards in the code to all users instead. Factors to be considered include the types of data collected, the volume of data, the intrusiveness of any profiling, whether decision making or other actions follow from profiling, and whether the data is being shared with third parties. The code further refers to the GDPR and the UK Data Protection Act 2018, which specify that if you rely on consent for any aspects of your online service, you need to get parental authorization for children under 13.
Privacy information provided to users, as well as other published terms, policies and community standards, “must be concise, prominent and in clear language suited to the age of the child”. Additional specific ‘bite-sized’ explanations about how personal data is used should be provided at the point that use is activated. As a reminder, transparency is already a key requirement under the GDPR, in particular under Article 5(1) of the GDPR which requires the processing of personal data to be done “lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)”.
Detrimental use of data
Children’s personal data must not be used in ways that have been “shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice”. Accordingly, organizations must ensure that they comply with relevant standards and codes of practice within an industry or sector, and in particualr any provisions within them that relate to children.
Policies and community standards
The code provides that organizations must uphold their own published terms, policies and community standards (including privacy policies, age restriction, behavior rules and content policies). This is another way of saying that you must you say what you do in your policies and you must do what you say.
Settings must be set to ‘high privacy’ by default (unless a compelling reason for a different default setting can be shown, taking into account the best interests of the child).
Collect and retain “only the minimum amount of personal data” needed to provide the elements of the service in which a child is actively and knowingly engaged. Children should be given separate choices over which elements they wish to activate.
Data relating to children should not be disclosed unless a compelling reason to do so can be shown, taking account of the best interests of the child.
Geolocation tracking features should be switched off by default (again, unless a compelling reason to switch it on can be shown). In such case, an obvious sign for children should be shown when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.
Children should be provided age-appropriate information about parental controls available. If an online service allows a parent or a guardian to monitor their child’s online activity or track their location, then the service should provide an “obvious sign to the child when they are being monitored”.
Options that use profiling should be turned off by default. The ‘off by default’ setting does not mean that profiling is not possible or banned. Whenever possible, children should be offered control over whether and how their personal data is used. So most profiling should be subject to a privacy setting. In addition, profiling should only be allowed if there are “appropriate measures” in place to protect the child from any harmful effects, such as content that is detrimental to their health or wellbeing.
Nudge techniques to “lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections” should not be used.
Connected toys and devices
Organizations providing connected toys or devices (e.g. a fitness band that records the child’s level of physical activity and then transmits this back to servers, or a ‘home hub’ interactive speaker device) should include effective tools to enable conformance to the code. This includes being clear about who is processing the personal data and what their responsibilities are, anticipating and providing for use by multiple users of different ages, providing clear information about your use of personal data at point of purchase and on set-up, finding ways to communicate ‘just in time’ information and avoiding passive collection of personal data
Prominent and accessible tools should be provided to help children exercise their data protection rights and report concerns.
The code, which should be approved by Parliament later this year, is expected to come into force in autumn 2021. Organizations that provide online services will need to assess whether the code applies to them and the steps that they may need to take to comply.