Having come into effect on 2nd September, the ICO’s Age Appropriate Design Code has dealt firms a new raft of cumbersome data protection requirements to implement within a 12-month transition period.
Also referred to as the ‘Children’s Code’, the document outlines 15 standards to be met by organisations which ensure that children’s data is protected to a default level of privacy when online. The Children’s Code applies to any businesses providing online services and products that are “likely to be accessed” by people in the United Kingdom who are under 18 years old.
In her foreword to the release of the code, Information Commissioner, Elizabeth Denham CBE, said: “A generation from now, I believe we will look back and find it peculiar that online services weren’t always designed with children in mind.
“When my grandchildren are grown and have children of their own, the need to keep children safer online will be as second nature as the need to ensure they eat healthily, get a good education or buckle up in the back of a car.”
The ICO zoomed-in on uncompliant behavioural advertising in its update report released mid-2019, setting the scene for a shift in focus toward protecting how children’s data should be collected, stored and utilised online. The dramatic increase in the time children have been obliged to spend online due to Covid-19 has also accentuated the need for further regulation in the space.
During its consultation period, the Children’s Code was the subject of significant debate and was criticised for the wide scope it recommended (and formally adopted) regarding its definition of the age of a child. The code is to be read in light of the GDPR, notably Recital 38, which states that “children merit specific protection with regard to the use of their personal data.”
Neil Brown, managing director, Decoded Legal explains: “The code gives examples or indications as to how companies might comply with the GDPR. You might see it as putting some flesh on the bare bones of the legislation.
“For example, the GDPR does not expressly require age verification, but a company may not be able to show it has met the GDPR's requirements (in terms of assessment of risk, or appropriate controls, for example) if it has not taken into account the ages of those who use its services.”
The (intentionally) broad age scope of the code poses significant challenges for “information society services”, another broad term which includes search engines, websites, mobile apps, messaging services, social media platforms, educational websites, electronic games, who will be required to massage or even re-craft certain products or services which do not comply.
Commenting on the release of the Children’s Code, Louise Hill, co-founder and COO of the children’s prepaid Visa debit card and app, gohenry, explains that “as a fintech business, data protection is a fundamental part of what we do and we have strict measures in place to keep customer information safe. These include restrictions on data sharing and data collection, and age appropriate application.
“As we do with all new guidelines issued, we are reviewing this new code to confirm we meet all the standards and to make sure our young customers feel protected while receiving the best possible service from us.”
gohenry seems to have pre-empted the Transparency standard of the code, with certain advantageous practices already in place. For instance, the firm provides child-friendly privacy statements explaining legal implications of signing up to their respective services in simple terms. But this is just one sub-requirement of a dense 15 standard Code.
While unavailable to comment on the release of the Children’s Code, Aurelien Guichard, lead product owner, Revolut Junior, spoke to Finextra about the importance of providing a child-friendly privacy statement earlier this year.
Guichard explained: “We were very conscious of the way we designed the app for children. One thing we are quite conscious of is that there is a great difference between 7 year olds and 17 year olds. In terms of trying to address this in our services we see the importance of having multiple ways to explain difficult concepts - even going down to our privacy statements. It’s one of our biggest achievements and we’re quite proud of it.
“We crafted it so that children would understand what their parents have done when it comes to their data - what’s going to happen as they use Revolut Junior and more importantly what their rights are as they are data subjects under GDPR.”
The 15 standards of the Age Appropriate Design Code are as follows:
- Best interests of the child
- Data protection impact assessments
- Age appropriate application
- Detrimental use of data
- Policies and community standards
- Default settings
- Data minimisation
- Data Sharing
- Parental controls
- Nudge techniques
- Connected toys and devices
- Online tools
Ruth Boardman, partner, Bird & Bird explains: “The Code requires organisations to take GDPR principles but to apply them all through the lens of ‘the best interests of the child.’ For example, controllers should only share data with third parties where this is the case.
"For controllers who use online advertising, such as for retargeting, this may affect their ability to share data with ad-tech companies. With regard to Transparency, organisations should ensure their privacy notices are readily understandable by their child audiences. This may mean different notices for younger kids, tweens and teens. Addressing these requirements is likely to take considerable effort, meaning the 12-month period will be needed.”
Now a key focus for the watchdog, prioritisation of protecting children’s rights and freedoms online will be the extended to the ICO’s Regulatory Sandbox for 2020-2021. The Sandbox is accepting applications from innovators who are currently focusing on technologies that address age appropriate privacy information, application to enable increased control of personal data within connected toys, how to convey the best interests of the child within a data protection impact assessment, among others.