The Information Commissioner’s Office (ICO) has launched a consultation on a code of practice for online services to ensure they adequately safeguard children’s personal data. This follows on from the UK consultation for new online safety laws (discussed here). The Irish government has also recently launched guidance in relation to online safety (discussed here). The UK Data Protection Act (DPA) 2018 also requires the ICO to produce an age-appropriate design code of practice to give guidance to organisations about the privacy standards they should adopt when offering online services and apps that children are likely to access and which will process their personal data.
The code of practice aims to be a global benchmark, setting out 16 standards that online services, such as apps, social media platforms, and streaming services must meet to protect children’s privacy. It is not restricted to services specifically directed at children.
The draft code states that the best interests of the child should be the primary consideration when developing online services. The code will ensure greater transparency in relation to published terms, policies and community standards. It has taken account of the principles and protections of both the GDPR and the United Nations Convention on the Rights of the Child (UNCRC) to provide practical guidance for online services.
Summary of code standards
The 16 standards that online services must meet when designing and developing services likely to be accessed by children include:
- Best interests of the child: The best interests of the child should be a primary consideration when designing and developing online services likely to be accessed by a child.
- Age-appropriate application: Online services should consider the age range of their audience and the needs of children of different ages.
- Transparency: The privacy information provided to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child.
- Detrimental use of data: Children’s personal data should not be used in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
- Policies and community standards: Online services must uphold their published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
- Default settings: Settings must be ‘high privacy’ by default (unless there is a compelling reason for a different default setting, taking account of the best interests of the child).
- Data minimisation: Only the minimum amount of personal data should be collected and retained. Children should be given separate choices over which elements they wish to activate.
- Data sharing: Children’s data should not be disclosed unless online services can demonstrate a compelling reason to do so, taking account of the best interests of the child.
- Geolocation: Geolocation options should be switched off by default (unless there is a compelling reason for geolocation, taking account of the best interests of the child), and an obvious sign is provided to children when location tracking is active.
- Parental controls: If parental controls are provided, children should be provided with age appropriate information about this. If an online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign should be provided to children when they are being monitored.
- Profiling: Profiling options should be switched off by default (unless there is a compelling reason for profiling, taking account of the best interests of the child). Profiling should only be allowed where appropriate measures are in place to protect the child from any harmful effects.
- Nudge techniques: Nudge techniques should not be used to lead or encourage children to provide unnecessary personal data, weaken or turn off their privacy protections, or extend their use.
- Connected toys and devices: If a connected toy or device is provided, effective tools should be included to enable compliance with the code.
- Online tools: Prominent and accessible tools should be provided to help children exercise their data protection rights and report concerns.
- Data protection impact assessments: DPIAs should be conducted to specifically assess and mitigate risks to children who are likely to access online services. DPIAs should build in compliance with the code.
- Governance and accountability: Online services should ensure policies and procedures are in place demonstrating how they comply with their data protection obligations, including data protection training for all staff involved in the design and development of services likely to be accessed by children.
Failure to comply with the Code
The code aims to help online services comply, and demonstrate that they comply, with their data protection obligations. Failure to comply with the code may result in regulatory action. In accordance with section 127 of the UK DPA 2018, the ICO must take the code into account when considering whether an online service has complied with its data protection obligations. The code may also be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant.
The code is open for consultation until 31 May 2019. The final version should come into effect before the end of 2019.