Firms given year to comply with ‘Children’s Code’ or face GDPR-style fines
Posted on September 2, 2020 by Alistair Hardaker
Data and information regulator The Information Commissioner’s Office (ICO) has announced a 12 month deadline for online firms to become compliant with new regulation designed to protect children online.
The Age Appropriate Design Code or Children’s Code, also referred to as the ‘Kid’s Code’ or ‘Children’s code’ is designed to protect children under the age of 18. The code comes into force today, triggering the start of a 12 month transition period.
Much like GDPR, which the ICO also enforces, it has the power to enact compulsory audits, orders to stop processing and fines of up to 4% of global turnover on non-compliant firms.
The code applies to organisations providing online services and products “likely to be accessed by children up to age 18”.
The code is risk based, which means it does not apply to all organisations in the same way.
Those responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services that use, analyse and profile children’s data, are likely to have to do more to conform to the code, the ICO said.
The code sets out 15 standards for designers of online services and products and how they should comply with data protection law.
The code will require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website.
All the major social media and online services used by children in the UK will need to conform to the code.
Elizabeth Denham, Information Commissioner said: “This code makes clear that kids are not like adults online, and their data needs greater protections. We want children to be online, learning and playing and experiencing the world, but with the right protections in place.
“We do understand that companies, particularly small businesses, will need support to comply with the code and that’s why we have taken the decision to give businesses a year to prepare, and why we’re offering help and support.”
The regulator is calling on organisations to get in touch to highlight the extra help they may need to understand the new code., and said it will spend the next year developing a tailored package of support to help organisations adapt their online products and services before 2 September 2021.
The 15 points on the age The Age Appropriate Design Code are:
Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
Data protection impact assessments: Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, which arise from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code.
Age appropriate application: Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.
Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.
Detrimental use of data: Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
Default settings: Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). Provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.
Parental controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.
Profiling: Switch options which use profiling ‘off’ by default (unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable conformance to this code.
Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.