The Information Commissioner’s Office (ICO) has released a draft code of practice for online services that are likely to be accessed by children under the age of 18 (the code).
The code has been issued under the Data Protection Act 2018 and introduces 16 standards of age appropriate design for online services. The code is wide reaching and may apply even if online services are not specifically directed at children.
The focus of the code is having regard to the best interests of children. Non-compliance with the code means online service providers are unlikely to be able to demonstrate compliance with data protection laws, leaving organisations liable to action by the ICO.
The code is currently in draft form and is open for public consultation until 31 May 2019. The final version will need to be approved by Parliament and is expected to come into effect by the end of 2019.
Who does the code apply to?
The code applies to:
- relevant information society services (ISS);
- which are likely to be accessed by children under the age of 18.
A relevant ISS (for the purposes of the code) is:
any service (normally provided for remuneration), at a distance, by electronic means at the individual request of a recipient of services.
This will normally involve the sale of products or access to a specific service.
This is a wide definition and will cover applications, websites, social media platforms and content streaming services.
The ISS does not have to be provided for remuneration. Not-for-profit services or those which are funded solely through advertising will also fall within this definition.
Likely to be accessed by children under the age of 18
The focus of the code is whether a service is likely to be accessed by children under 18, making the application of the code extremely wide reaching.
The code applies not only to services specifically directed at children, but also those that appeal to children (including those directed at adults, which in practice attract children).
The ICO recommends that ISS providers conduct market research to demonstrate conclusively whether or not their service is likely to be accessed by children. If you cannot conclusively demonstrate that adults only will access your service, there is a chance it may be accessed by children and therefore the code will apply. For most ISS providers best practice will be to ensure compliance with the code, since the nature of technology and the modern era means most websites, applications, streaming services and social media platforms are easily accessible and therefore likely to be accessed by children.
Does the code apply to me if my organisation is based outside of the UK?
The draft code will apply to all ISS providers that are likely to be accessed by children under 18 years old and are based:
- in the UK;
- outside the UK with a branch, office or other establishment in the UK;
- outside the European Economic Area (EEA) which offer services to users in the UK;
- outside the EEA which monitors the behaviour of users in the UK.
Under the GDPR one-stop-shop arrangement, if the ISS provider has a lead supervisory authority other than the ICO and does not have a UK establishment, the code will not apply.
What are the requirements of the draft code?
The code introduces 16 standards of age appropriate design, all of which must be met to demonstrate compliance with data protection laws when processing children’s personal data.
The standards expand on the requirements set out in the General Data Protection Regulation (GDPR) by providing specific practical measures and safeguards for children. Further details of each standard can be found in the draft code, but below is a summary.
Best interests of the child
This should be the primary consideration when online services are designed and developed.
The different age ranges and stages of development should be at the heart of how the ISS is designed.
ISS providers should choose whether they apply this standard to:
- all ISS users by default;
- allow adults to opt-out; or
- all children by default.
In practice, the ISS provider will need either to put in place robust age verification mechanisms or apply the same standards to all users by default. The code makes it clear that age-verification mechanisms must be robust and effective. For example, it must not be possible for a child to bypass such a check by merely ticking a box.
The privacy information the ISS provides should be concise, prominent and use clear language suited to the age of the child.
This may involve having additional child-friendly information, alongside the more detailed, technical information for adults.
Detrimental use of data
Personal data of children should not be used in ways that would be detrimental to their wellbeing or go against industry codes of practice (eg the CAP guidance on online behavioural advertising), other regulatory provisions or Government advice.
The code recommends keeping up to date with Government advice regarding the welfare of children in the context of digital or online services.
Policies and community standards
ISS providers should uphold their own terms, policies and community standards (including privacy policies, age restriction, behaviour rules and content policies). This means not only adhering to their own published terms and conditions and policies, but also actively upholding and enforcing any community rules or conditions of use set for users.
By default, settings for children must be high privacy (unless there is a compelling reason to do otherwise, taking account of a child’s best interests).
This means that the personal data of children should only be visible to other users and third parties if the child specifically edits their settings. If a child attempts to change a privacy setting, the ISS should provide appropriate explanations and prompts.
As with the personal data of those over 18 years old, collection and retention of children’s personal data should be kept to a minimum and only for the specific element of the ISS being used at the time.
Personal data of children should not be disclosed to any third parties, unless there is a compelling reason to do so, taking account of the best interests of the child. An example of a compelling reason to share personal data would be for safeguarding purposes.
By default, the geolocation for a child should be switched off (unless a compelling reason to do so can be demonstrated, taking account of the best interests of the child).
When a child’s geolocation is active, this must be clearly signposted to the child.
Examples of controls include settings that allow parents and guardians to limit activity or limit the timings of such activity.
The ISS provider should clearly tell children if a parent or guardian has the ability to monitor their online activity.
Profiling is the use of personal data to analyse certain aspects or traits, such as behaviour location and personal interests.
All such profiling should be switched off by default for children, unless there is a compelling reason to do so, taking account of the best interests of the child.
Children should not be encouraged to:
- provide unnecessary personal data;
- take any action which would decrease their level of privacy protection; or
- prolong the use of an ISS at decreased levels of privacy protection.
Nudges towards pro-privacy actions may be relevant, depending on the age of the child.
Connected toys and devices
These must include effective tools to enable compliance with the code. Any ISS providing connected toys and devices will need to ensure that clear information about the product’s use of personal information is provided at the point of purchase and prior to device set-up.
Children should be provided with easy access to age appropriate and easy to use tools to enable them to exercise their data protection rights and report any concerns they may have.
Data protection impact assessments (DPIAs)
ISS providers should undertake DPIAs specifically to assess the risks to children and to consider how to mitigate any such risks.
Governance and accountability
ISS providers should ensure policies and procedures are in place to demonstrate compliance with their data protection obligations, including data protection training for all staff involved in the design and development of online services likely to be accessed by children.
As with the theme of the draft code, all compelling reasons to act against any of the above standards will need to take into account the best interests of the child. It is likely a valid compelling reason will most likely relate to safeguarding and welfare.
What happens if I do not comply with the code?
Adherence to the standards set out in the code will be a key measure of compliance with data protection laws. ISS providers that do not comply with the code will find it difficult to demonstrate that their processing is fair and complies with the GDPR or Privacy and Electronic Communications Regulations (PECR). The ICO has various powers to take action for a breach of the GDPR or PECR, including any of the following types of action:
- perform audits;
- consider complaints;
- issue warnings;
- issue stop-now orders; and
- issue monetary fines.
Under the GDPR, monetary fines can be up to €20 million or 4% of global annual turnover, whichever is higher.
Can I tell the ICO what I think about the code?
Yes, the draft code is open for public consultation until 31 May 2019. You can complete the online survey on the ICO website.
Further details, including a link to the survey, can be found at: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/age-appropriate-design-a-Code-of-practice-for-online-services/