The Information Commissioner's Office ("ICO") has published its final Age Appropriate Design Code. The Code sets out standards to which service providers should adhere in order to protect children's privacy. The Age Appropriate Design Code includes 15 standards and covers services that are likely to be accessed or used by children and which process their data, such as applications, connected toys, social media platforms, online games and streaming services.
The Code requires providers of online services to take the best interest of the child as a primary consideration, when designing and developing online services that are likely to be accessed by children. Providers should also take a risk-based approach to recognize the age of individual users and ensure they effectively apply the other standards in the Code.
Under the Code, companies are required to automatically provide children with a built-in baseline of data protection and to set privacy settings at a high level by default. Consequently, the collection of geolocation information and the profiling settings shall be off by default. In addition, the data collected should be minimized and children's personal data shall not be shared, unless there is a compelling reason to do so. The ICO also prohibits the use of nudge techniques to encourage children to provide consents that will weaken their privacy protections.
Companies are required to publish their policies in a clear and concise language, which is suitable for children and to include additional specific explanations as to how personal information is used. Services and products which provide parental controls shall also give children the appropriate information. Where a service allows parents to monitor their children, the service provider will be required to provide children with a prominent sign notifying them that they are being monitored.
The ICO states that the Code seeks to protect children within the digital world without restricting their access to it. The focus is to provide children with default settings, which will ensure children have the best possible online access, while minimizing data collection and use. The Code also strives to ensure that children who choose to provide their personal information will receive the appropriate guidance and information before doing so.
Once the Code will be approved by the United Kingdom Parliament, companies will have 12 months to implement the necessary changes as part of their other data protection requirements.
We have recently reported on how Apple, Google and Youtube updated their policies focusing on the protection of children.