ICO News

ICO Publishes Age Appropriate Design Code Of Practice For Online Products And Services Accessed By Children – Mondaq News Alerts



UK:

ICO Publishes Age Appropriate Design Code Of Practice For Online Products And Services Accessed By Children


To print this article, all you need is to be registered or login on Mondaq.com.

On 21 January 2020, the ICO published the Age
Appropriate Design Code of Practice
. The Code is
available here.

Who does the Code apply to?

  • The Code applies
    to information society services which
    are likely to be accessed
    by under-18s. The ISS does not have to be
    deliberately directed at children.

  • This includes any online
    products
     or services (e.g.
    apps, programs, websites, games). This also
    includes Internet of Things (IoT) 
    connected toys and devices – whether with or without a
    screen.

  • The Code applies to
    ISS with an establishment in the
    UK
     OR those that are outside the
    UK
     (but target goods and
    services
     to, or monitor
    children
     in the UK).

What does the Code say?

The Code sets out 15 headline “standards of age appropriate
design”:

  • Best
    Interests:
     The best interests of the
    child
     should be a primary consideration when you
    design and develop online services likely to be accessed by a
    child.

  • Data Protection Impact
    Assessments:
     You should undertake a
    DPIA
     before launching the product or service to
    assess and mitigate risks to the rights and freedoms of
    children.

  • Age Appropriate
    Application: 
    You should take a risk-based approach
    to recognising the age of individual users and ensure you
    effectively apply the standards in this code to child users.
    Either establish age with a level of
    certainty
     that is appropriate to the risks to the
    rights and freedoms of children that arise from your data
    processing OR apply the standards in this
    code to all your users instead.


  • Transparency: The privacy information you
    provide to users must be concise, prominent,
    and in clear language suited to
    the age of the child.

  • Detrimental Use of
    Data:
     You should not use children’s personal data
    in ways that have been shown to be detrimental to
    their wellbeing
    , or that go against industry codes of
    practice, other regulatory provisions, or Government advice.

  • Policies and Community
    Standards:
     Uphold your own published
    terms
    , policies and community standards (including but not
    limited to privacy policies, age restriction, behaviour rules and
    content policies).

  • Default
    Settings:
     Settings must be ‘high
    privacy’ by default 
    (unless you can demonstrate
    compelling reason for a different
    default setting, taking account of the best interests of the
    child).

  • Data
    Minimisation: 
    Collect and retain
    only the minimum amount of personal
    data
     you need to provide the elements of your service
    in which a child is actively 
    and knowingly engaged. Give children separate
    choices over which elements they wish to activate.

  • Data Sharing: 
    You should not disclose children’s
    data
     unless you can demonstrate
    compelling reason to do so, taking
    account of the best interests of the child.

  • Geolocation: 
    You should switch geolocation options off by
    default
     (unless you can demonstrate
    compelling reason for geolocation to
    be switched on by default, taking account of the best interests of
    the child), and provide an obvious
    sign
     for children when location tracking is active.
    Options which make a child’s location visible to others should
    default back to ‘off’ at the end of each session.

  • Parental
    Controls: 
    If you provide parental controls, give the
    child age appropriate information about
    this. If your online service allows a parent or carer to monitor
    their child’s online activity or track their location, provide
    an obvious sign to the child when they
    are being monitored.

  • Profiling:  You
    should switch options which use profiling
    ‘off’ by default
     (unless you can demonstrate
    compelling reason for profiling to be
    on by default, taking account of the best interests of the child).
    Only allow profiling if you have appropriate
    measures
     in place to protect the child
    from any harmful effects (in particular,
    being fed content that is detrimental to their health or
    wellbeing).

  • Nudge
    techniques: 
    You should not use nudge
    techniques 
    to lead or encourage children to provide
    unnecessary personal data or turn off privacy
    protections.

  • Connected Toys and Devices
    (IoT): 
    If you provide a connected toy or device,
    ensure you include effective tools to
    enable conformance to this code.

  • Online Tools: 
    Provide prominent 
    and accessible tools to help children
    exercise their data protection
    rights
     and report
    concerns
    .

What should businesses do?

There are five steps that businesses should take now to prepare
themselves (as set out in the Code):

  • Step
    1:
     Implement an accountability programme

  • Step 2: Have
    policies to support and demonstrate compliance

  • Step 3: Train
    staff

  • Step 4: Keep
    proper records

  • Step 5: Be
    prepared to demonstrate compliance with the Code 

What happens now?

  • The Code needs to be notified to the
    European Commission and laid before Parliament (in case there are
    any objections). This process will likely be concluded in July /
    August 2020.

  • Businesses will then have 12 months
    to implement the changes from the date the Code takes effect. Based
    on the timescales above, we anticipate the Code will take effect
    around August/September 2021.

  • The ICO will enforce the Code in line
    with their Regulatory Action Policy and may impose fines under the
    Privacy and Electronic Communications Regulations (PECR) and/or
    GDPR, depending on the nature of the breach.

Dentons is the world’s first polycentric global law firm. A
top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm
is committed to challenging the status quo in delivering consistent
and uncompromising quality and value in new and inventive ways.
Driven to provide clients a competitive edge, and connected to the
communities where its clients want to do business, Dentons knows
that understanding local cultures is crucial to successfully
completing a deal, resolving a dispute or solving a business
challenge. Now the world’s largest law firm, Dentons’
global team builds agile, tailored solutions to meet the local,
national and global needs of private and public clients of any size
in more than 125 locations serving 50-plus countries.
www.dentons.com
.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from UK

UK ICO Finally Issues GDPR Fine

Cleary Gottlieb Steen & Hamilton LLP

The UK Information Commissioner’s Office (“ICO”) issued its first penalty notice under the GDPR in December 2019.

Impact Of Brexit For Data Protection

Global Advertising Lawyers Alliance (GALA)

Under the withdrawal agreement between the European Union and the United Kingdom, an implementation period (at least until December 31, 2020) has been agreed.

Brexit Effects On Privacy Shield

Mintz

Now that the United Kingdom has officially withdrawn from the European Union as of January 31, you should look at your transfers of personal data in light of Brexit.

The ICO Issues Its First GDPR Fine

Clyde & Co

On 20 December 2019, the Information Commissioner’s Office (“the ICO”) issued its first GDPR fine to Doorstep Dispensaree Limited (“Doorstep”), …

Brexit Impact On Privacy

Dentons

On Friday, January 31, 2020, the United Kingdom (UK) left the European Union (EU) after 47 years as part of the union.



READ SOURCE

Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.