Data and information regulator The Information Commissioner鈥檚 Office (ICO) has announced a 12 month deadline for online firms to become compliant with new regulation designed to protect children online.
The Age Appropriate Design Code or Children鈥檚 Code, also referred to as the ‘Kid’s Code’ or ‘Children’s code’ is designed to protect children under the age of 18. The code聽comes into force today, triggering the start of a 12 month transition period.
Much like GDPR, which the ICO also enforces, it has the power to enact compulsory audits, orders to stop processing and fines of up to 4% of global turnover on non-compliant firms.
The code applies to organisations providing online services and products “likely to be accessed by children up to age 18”.
The code is risk based, which means it does not apply to all organisations in the same way.
Those responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services that use, analyse and profile children鈥檚 data, are likely to have to do more to conform to the code, the ICO said.
The code sets out 15 standards for designers of online services and products and how they should comply with data protection law.
The code will require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website.
All the major social media and online services used by children in the UK will need to conform to the code.
Elizabeth Denham, Information Commissioner said: 鈥淭his code makes clear that kids are not like adults online, and their data needs greater protections. We want children to be online, learning and playing and experiencing the world, but with the right protections in place.
鈥淲e do understand that companies, particularly small businesses, will need support to comply with the code and that鈥檚 why we have taken the decision to give businesses a year to prepare, and why we鈥檙e offering help and support.鈥
The regulator is calling on organisations to get in touch to highlight the extra help they may need to understand the new code., and said it will spend the next year developing a tailored package of support to help organisations adapt their online products and services before 2 September 2021.
The 15 points on the age The Age Appropriate Design Code are:聽
Best interests of the child:聽The best interests of the child should be a聽primary consideration when you design and develop online services likely聽to be accessed by a child.
Data protection impact assessments:聽Undertake a DPIA to assess聽and mitigate risks to the rights and freedoms of children who are likely to聽access your service, which arise from your data processing. Take into聽account differing ages, capacities and development needs and ensure聽that your DPIA builds in compliance with this code.
Age appropriate application:聽Take a risk-based approach to聽recognising the age of individual users and ensure you effectively apply聽the standards in this code to child users. Either establish age with a level聽of certainty that is appropriate to the risks to the rights and freedoms of聽children that arise from your data processing, or apply the standards in聽this code to all your users instead.
Transparency:聽The privacy information you provide to users, and other聽published terms, policies and community standards, must be concise,聽prominent and in clear language suited to the age of the child. Provide聽additional specific 鈥榖ite-sized鈥 explanations about how you use personal聽data at the point that use is activated.
Detrimental use of data:聽Do not use children鈥檚 personal data in ways聽that have been shown to be detrimental to their wellbeing, or that go聽against industry codes of practice, other regulatory provisions or聽Government advice.
Policies and community standards:聽Uphold your own published聽terms, policies and community standards (including but not limited to聽privacy policies, age restriction, behaviour rules and content policies).
Default settings:聽Settings must be 鈥榟igh privacy鈥 by default (unless you聽can demonstrate a compelling reason for a different default setting,聽taking account of the best interests of the child).
Data minimisation:聽Collect and retain only the minimum amount of聽personal data you need to provide the elements of your service in which聽a child is actively and knowingly engaged. Give children separate choices聽over which elements they wish to activate.
Data sharing:聽Do not disclose children鈥檚 data unless you can聽demonstrate a compelling reason to do so, taking account of the best聽interests of the child.
Geolocation:聽Switch geolocation options off by default (unless you can聽demonstrate a compelling reason for geolocation to be switched on by聽default, taking account of the best interests of the child). Provide an聽obvious sign for children when location tracking is active. Options which聽make a child鈥檚 location visible to others must default back to 鈥榦ff鈥 at the end of each session.
Parental controls:聽If you provide parental controls, give the child age聽appropriate information about this. If your online service allows a parent聽or carer to monitor their child鈥檚 online activity or track their location,聽provide an obvious sign to the child when they are being monitored.
Profiling:聽Switch options which use profiling 鈥榦ff鈥 by default (unless you聽can demonstrate a compelling reason for profiling to be on by default,聽taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
Nudge techniques:聽Do not use nudge techniques to lead or encourage聽children to provide unnecessary personal data or weaken or turn off their聽privacy protections.
Connected toys and devices:聽If you provide a connected toy or device聽ensure you include effective tools to enable conformance to this code.
Online tools:聽Provide prominent and accessible tools to help children聽exercise their data protection rights and report concerns.