Fresh on the heels of the publication by the Government earlier in April of its “Online Harms White Paper” proposing a new regulatory framework for the digital economy to improve safety online, the Information Commissioner’s Office (“ICO”) has published a draft code of practice relating to online services likely to be accessed by children, tying in with two of the ICO’s own published key strategic objectives: “to be proactive in identifying and mitigating new or emerging risks arising from technological and societal change” and the use of children’s data.
The draft code provides practical guidance on “…how to design data protection safeguards into online services to ensure they are appropriate for use by, and meet the development needs of, children”, focussing on the following 16 standards of age-appropriate design for information society services likely to be accessed by children:
- The best interests of the child should be a primary consideration when you develop and design online services likely to be accessed by a child.
- Age-appropriate application: consider the age ranges of your audience and the needs of children of different ages.
- Transparency: privacy information must be clear and suited to the age of the child.
- Detrimental use of data: do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing / go against industry codes of practice etc.
- Uphold your own published terms, policies and community standards.
- Settings must be “high privacy “ by default.
- Data minimisation: collect and retain the minimum amount of personal data necessary to deliver the elements of your service in which a child is actively and knowingly engaged.
- Data sharing: do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking into account the best interests of the child.
- Switch geolocations off by default.
- If you provide parental controls, give the child age appropriate information about this.
- Switch options which use profiling off by default
- Do not use “nudge techniques” (ie design features which lead or encourage users to follow a particular path, eg more prominent “accept” than “decline” buttons) ) to lead or encourage children to provide unnecessary personal data, turn off privacy protections of extend their use.
- If you provide connected toys (ie toys / devices that are connected to the internet), ensure you include effective tools to enable compliance with the Code.
- Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
- Undertake a data protection impact assessment (“DPIA”) to assess and mitigate risks to children likely to access your service.
- Governance and accountability: ensure you have policies and procedures in place to demonstrate how you comply with data protection obligations.
“Information society service” is defined in the Data Protection Act 2018 as being “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. In practice, most online services (eg apps, programs, many websites) will be ISS as remuneration needs not to come directly from the end user (so free services which involve advertising will still be ISS, as long as the services involve “economic activity” generally).
Importantly, the draft code works on the assumption that if you believe only adults are likely to use your service (ie the code does not apply) you still need to be able to demonstrate that is the case (eg market research etc). The scope of the code is therefore much wider than services marketed specifically for children.
The consultation on the draft code, which as and when finalised, will have statutory legal status (ie failure to comply may result in regulatory action and the code can be used in evidence in court proceedings) remains open until 31 May 2019, with the finalised code expected to come into effect before the end of the year after being laid before Parliament.