The Information Commissioner's Office (ICO) has published its Age Appropriate Design Code setting out 15 technology neutral standards for age appropriate design in digital services.
Providers of digital services (think providers of apps, programs, websites, games or community environments, and connected toys) must build these standards into their design processes from the start, flow through their requirements as upgrades to existing services, and perform or update data protection impact assessments to ensure their services fairly and lawfully process children's personal data as required by GDPR.
The code represents a call to action for those in the digital sector, who from the time of implementation (following completion of legislative processes) will have a 12 month transition period to update their services, or risk non-compliance with data protection laws. The code is expected to take full effect in the autumn of 2021.
Here are the ICO's 15 risk-based standards of age appropriate design:
1. The best interests of the child should be the primary consideration. Service providers must ensure children are safe from exploitation risks, and that their health, development, and sense of identity are protected;
2. Data protection impact assessments must be undertaken to assess and mitigate risks to children who are likely to use or be impacted by your services.
3. Age appropriate application - you should take a risk based approach to recognizing the age of your users, acknowledging the different needs of children at different stages of development and applying the code accordingly. Either establish age with a level of certainty appropriate to the risks arising from your processing or apply the standards of the code to all users.
4. Transparency - your privacy information, terms policies and community standards must be concise, prominent, and in clear language suited to the age of your users. In order to provide children with specific protection (as required by GDPR) they must be provided with ‘bite-size’ explanations, at the point at which their personal data is collected and activated.
5. Detrimental use of data - children's personal data cannot be used in ways which has been shown to be detrimental to their wellbeing, or that go against industry codes of practice, regulatory provisions or government advice. Particular care should be taken when profiling children, including making inferences based on their personal data, or processing geo-location data. Beware and give extra consideration to strategies designed to extend user engagement such as reward loops, continuous scrolling, notifications and auto-play features.
6. Policies and community standards - you will need to adhere to your own published terms and conditions and policies. Community rules and conditions of use for users must be actively upheld and enforced.
7. Default settings - recognising that many children will just accept whatever default settings you provide, your settings must be ‘high privacy’ by default taking into account the best interests of the child. This applies to your use of data, use by third parties and user by other users.
8. Data minimisation - you should only collect and retain the minimum amount of personal data you need to provide the parts of your service in which a child is actively and knowingly engaged. Provide children with choices over which elements of your service to activate.
9. Data sharing - you should not disclose children’s data unless you are able to demonstrate a compelling reason to do so (taking account of the best interests of the child). This can cover sharing information with different parts of your organisation, or with other entities in your group.
10. Geolocation - should be deactivated by default (unless there is a compelling reason to do so taking account of the best interests of the child). An obvious sign should be provided when tracking is active. If the location is available to others this should default back to off at the end of each session.
11. Parental controls - if such controls are utilised, the child should be provided with age appropriate information about this. If a parent or carer can actively monitor activity or location, the child should be provided with an obvious sign when they are being monitored. The code includes guidance about what information should be provided to the users about parental controls at each stage of development (including specifying at what ages audio and video explanations should be provided).
12. Profiling - should be off by default unless there is a compelling reason for the interests of the child. This does not mean profiling is impossible or banned. You may need to balance this requirement with ensuring children are not presented with unsuitable content, but profiling for commercial purposes such as targeted advertising should be deactivated by default. Detailed guidance on your GDPR, direct marketing, and cookie compliance considerations here are provided within the code.
13. Nudge techniques - should not be used to lead or encourage children. to provide unnecessary personal data or deactivate privacy controls. Choices should be given equal prominence. Requirements for different stages of development are included in the code.
14. Connected toys and devices - which are connected to the internet should include effective tools to comply with the code. You may be faced with particular challenges here, for example, the requirement persists for non-screen based products, and those integrating third party online functionality to their physical products will need to monitor compliance and ensure overall compliance with the code irrespective of the third party's responsibilities.
15. Online tools - should be provided to children to help them use their data protection rights and to report concerns. Children will need to be made aware of their rights (such as a right to access the information you hold about them, and withdraw consent) and must be able to easily exercise them. Age appropriate guidance for different ages is included in the code. By way of example the code envisages "download all my data", "stop using my data", "delete all my data" tools.
Thoughts from Elizabeth Denham, The UK Information Commissioner are included below:
I believe companies will want to conform with the standards because they will want to demonstrate their commitment to always acting in the best interests of the child. Those companies that do not make the required changes risk regulatory action. What’s more, they risk being left behind by those organisations that are keen to conform. A generation from now, I believe we will look back and find it peculiar that online services weren’t always designed with children in mind. When my grandchildren are grown and have children of their own, the need to keep children safer online will be as second nature as the need to ensure they eat healthily, get a good education or buckle up in the back of a car.