UK Children’s Code comes into force to protect children online
On 2 September 2020, the United Kingdom Information Commissioner’s Office (ICO) announced the coming into force of the Children’s Code (also known as the Age Appropriate Design Code), triggering the start of a 12-month transition period.
The Children’s Code is a data protection code of practice for online services, such as apps, online games, websites and social media platforms that are likely to be accessed by children. Specifically, it addresses how to design data protection safeguards into online services to ensure that they are appropriate for use by – and meet the development needs of – children.
The focus is on providing default settings that ensure children have the best possible access to online services while minimising data collection and use by default. It also ensures that children who choose to change their default settings get the right information, guidance and advice before they do so, and proper protection in how their data is used afterwards.
The Children’s Code sets out 15 standards that are cumulative and interlinked. In summary, these standards are as follows:
- Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
- Data protection impact assessments: A data protection impact assessment (DPIA) should be undertaken to assess and mitigate risks to the rights and freedoms of children who are likely to access your service.
- Age-appropriate application: A risk-based approach should be taken to recognising the age of individual users.
- Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child.
- Detrimental use of data: Children’s personal data should not be used in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or government advice.
- Policies and community standards: Uphold your own published terms, policies and community standards, including privacy policies, age restriction, behaviour rules and content policies.
- Default settings: Settings must be ‘high privacy’ by default, unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child.
- Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
- Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
- Geolocation: Switch geolocation options off by default, unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child. Provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.
- Parental controls: If you provide parental controls, give the child age-appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.
- Profiling: Switch options which use profiling ‘off’ by default, unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child. Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects, such as being fed content that is detrimental to their health or wellbeing.
- Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
- Connected toys and devices: If you provide a connected toy or device, ensure you include effective tools to enable conformance with the Children’s Code.
- Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
The Children’s Code is accessible here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].