The Age Appropriate Design Code is law.
The creation of the Code follows lengthy discussions with parents, children, schools, children’s campaign groups, developers, tech and gaming companies and online service providers. Not everyone agreed about the Code. It will mean a lot of work for tech and gaming companies and they will lose ease of access to some under 18’s personal data and activity. But the views of children and parents have been at the centre of the creation of the final Code. I think grandparents would agree this is a great step forward in online safety.
Who do we thank?
The campaign for this the first ever statutory code was led by the 5Rights Foundation, a small but highly effective charity led by Baroness Beeban Kidron. https://5rightsfoundation.com/in-action/5rights-briefing-on-the-age-appropriate-design-code.html The charity worked tirelessly to bring other charities on board, talk to children, ensure political parties were in support and ultimately steered the Code through the choppy waters created by different Conservative Governments. The support and commitment of the Information Commissioner meant the final hurdles were jumped. This pioneering work is set to go global.
What is meant by ‘ children’?
The Code views children as anyone under the age of 18. This is in line with the Convention on the Rights of Children, already part of UK law.
Which digital platforms are included?
In laypersons terms, any digital space on the internet which children may or do use is included. This does not mean exclusive use either. The whole population of users will see the benefits of tighter privacy.
What will be different?
The Code means if our children are using Cbeebies or our nieces and nephews using WhatsApp, Facebook, or they are using purchasing platforms then the companies must make settings “high privacy” by default (unless there’s a compelling reason not to). It means that :-
- Only the minimum amount of personal data should be collected and retained by companies;
- Children’s data should not usually be shared.
- Services like Google, which can follow the location of our kids, should be switched off by default.
- Nudge techniques – which means seeing things which drive you towards making a decision you might not otherwise make…should not be used to encourage children to provide unnecessary personal data, weaken or turn off their privacy settings.
Who is responsible for the Code?
It is Elizabeth Denham the Information Commissioner and her staff at the ICO who will be responsible for enforcing the Code. https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services/
What happens if we complain?
For serious breaches Elizabeth has the power to issue fines of up to £17.5 million or 4% of a company’s annual worldwide turnover. So the punishments are severe.
Elizabeth says that where she sees ‘harm or potential harm to children we will likely take more severe action against a company than would be the case for other types of personal data’.
Time for us all to prepare
I hope Elizabeth will be making her Complaints process friendly for parents so that they can make complaints on behalf of their children and for children as young as 8 to make their own complaints. Parents and grandparents should start looking at platforms, apps, websites which they feel do not make the cut and be ready to complain. Only by the public making complaints can the Information Commissioner act in defence of children.
This code is in force from 2 September 2020, with a 12 month transition period for companies and the ICO to properly prepare.
The standards are:
- Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
- Data protection impact assessments: Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, which arise from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code.
- Age appropriate application: Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.
- Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.
- Detrimental use of data: Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
- Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
- Default settings:Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
- Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
- Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
- Geolocation:Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). Provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.
- Parental controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.
- Profiling: Switch options which use profiling ‘off’ by default (unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
- Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
- Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable conformance to this code.
- Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
- Note any concerns you have about platforms, websites or apps which your under 18’s are using
- Encourage your children to make complaints if they are concerned about their privacy or the use of their data
- Be ready to make complaints on their behalf.
- Enforcement goes live in Sept 2021