UK:
ICO Publishes Age Appropriate Design Code Of Practice For Online Products And Services Accessed By Children
To print this article, all you need is to be registered or login on Mondaq.com.
On 21 January 2020, the ICO published the Age
Appropriate Design Code of Practice. The Code is
available here.
Who does the Code apply to?
- The Code applies
to information society services which
are likely to be accessed
by under-18s. The ISS does not have to be
deliberately directed at children. - This includes any online
products or services (e.g.
apps, programs, websites, games). This also
includes Internet of Things (IoT)
connected toys and devices – whether with or without a
screen. - The Code applies to
ISS with an establishment in the
UK OR those that are outside the
UK (but target goods and
services to, or monitor
children in the UK).
What does the Code say?
The Code sets out 15 headline “standards of age appropriate
design”:
- Best
Interests: The best interests of the
child should be a primary consideration when you
design and develop online services likely to be accessed by a
child. - Data Protection Impact
Assessments: You should undertake a
DPIA before launching the product or service to
assess and mitigate risks to the rights and freedoms of
children. - Age Appropriate
Application: You should take a risk-based approach
to recognising the age of individual users and ensure you
effectively apply the standards in this code to child users.
Either establish age with a level of
certainty that is appropriate to the risks to the
rights and freedoms of children that arise from your data
processing OR apply the standards in this
code to all your users instead. -
Transparency: The privacy information you
provide to users must be concise, prominent,
and in clear language suited to
the age of the child. - Detrimental Use of
Data: You should not use children’s personal data
in ways that have been shown to be detrimental to
their wellbeing, or that go against industry codes of
practice, other regulatory provisions, or Government advice. - Policies and Community
Standards: Uphold your own published
terms, policies and community standards (including but not
limited to privacy policies, age restriction, behaviour rules and
content policies). - Default
Settings: Settings must be ‘high
privacy’ by default (unless you can demonstrate
a compelling reason for a different
default setting, taking account of the best interests of the
child). - Data
Minimisation: Collect and retain
only the minimum amount of personal
data you need to provide the elements of your service
in which a child is actively
and knowingly engaged. Give children separate
choices over which elements they wish to activate. - Data Sharing:
You should not disclose children’s
data unless you can demonstrate
a compelling reason to do so, taking
account of the best interests of the child. - Geolocation:
You should switch geolocation options off by
default (unless you can demonstrate
a compelling reason for geolocation to
be switched on by default, taking account of the best interests of
the child), and provide an obvious
sign for children when location tracking is active.
Options which make a child’s location visible to others should
default back to ‘off’ at the end of each session. - Parental
Controls: If you provide parental controls, give the
child age appropriate information about
this. If your online service allows a parent or carer to monitor
their child’s online activity or track their location, provide
an obvious sign to the child when they
are being monitored. - Profiling: You
should switch options which use profiling
‘off’ by default (unless you can demonstrate
a compelling reason for profiling to be
on by default, taking account of the best interests of the child).
Only allow profiling if you have appropriate
measures in place to protect the child
from any harmful effects (in particular,
being fed content that is detrimental to their health or
wellbeing). - Nudge
techniques: You should not use nudge
techniques to lead or encourage children to provide
unnecessary personal data or turn off privacy
protections. - Connected Toys and Devices
(IoT): If you provide a connected toy or device,
ensure you include effective tools to
enable conformance to this code. - Online Tools:
Provide prominent
and accessible tools to help children
exercise their data protection
rights and report
concerns.
What should businesses do?
There are five steps that businesses should take now to prepare
themselves (as set out in the Code):
- Step
1: Implement an accountability programme - Step 2: Have
policies to support and demonstrate compliance - Step 3: Train
staff - Step 4: Keep
proper records - Step 5: Be
prepared to demonstrate compliance with the Code
What happens now?
- The Code needs to be notified to the
European Commission and laid before Parliament (in case there are
any objections). This process will likely be concluded in July /
August 2020. - Businesses will then have 12 months
to implement the changes from the date the Code takes effect. Based
on the timescales above, we anticipate the Code will take effect
around August/September 2021. - The ICO will enforce the Code in line
with their Regulatory Action Policy and may impose fines under the
Privacy and Electronic Communications Regulations (PECR) and/or
GDPR, depending on the nature of the breach.
Dentons is the world’s first polycentric global law firm. A
top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm
is committed to challenging the status quo in delivering consistent
and uncompromising quality and value in new and inventive ways.
Driven to provide clients a competitive edge, and connected to the
communities where its clients want to do business, Dentons knows
that understanding local cultures is crucial to successfully
completing a deal, resolving a dispute or solving a business
challenge. Now the world’s largest law firm, Dentons’
global team builds agile, tailored solutions to meet the local,
national and global needs of private and public clients of any size
in more than 125 locations serving 50-plus countries.
www.dentons.com.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from UK