Although protecting children is mentioned various times under the GDPR, it has been left to individual EU Member States to develop their own codes of conduct in relation to protecting children’s privacy online. The ICO will publish its Code of Conduct, ‘Age Appropriate Design: A code of practice for online services’ under the DPA 2018, on the 23rd November 2019. The information in this blog is based on the consultation document, (the consultation is now closed), so there may be changes which we won’t know about until it’s released, however, there’s no harm in getting to grips with the key themes and we can update you with any changes once the code is published.
The code is designed for Providers of Information Society Services (ISS), who will have a year’s grace to implement it. Just over a year on from the implementation of the Data Protection Act 2018, we’ve started to see some regulatory action announced by the ICO and recent actions under the old law has focused on processing ‘fairness’. The code isn’t without its critics, but in any event it’s clear that providers of Information Society Services have plenty to think about.
Which companies must comply?
As mentioned above, the code for Age Appropriate Design applies to providers of information society services. If you provide online products or services such as apps, programs, websites, games or community environments, and connected toys or devices (with or without a screen) that process personal data and are likely to be accessed by children in the UK, then this means you!
Under GDPR, EU Member States can decide what age constitutes a child with the minimum being aged 13. Under the UK’s proposed code, a child is someone under the age of 18.
The code is not restricted to services provided specifically for children. Because children are wily and curious creatures and may well be using a service not necessarily designed for them, as an ISS provider, you must decide whether your service is likely to be attractive to children even if it’s not intended for them. If it is, you should adhere to the code.
If you don’t believe your service is accessed by children, I’m afraid it’s not as simple as just stating that. If you take this stance, you have to provide proof to back up your claim which requires a bit of legwork. Proof could be obtained in the form of market research or customer behaviour analysis.
When does the Age Appropriate Design code apply?
The code applies to all ISS’s based in the UK and those based outside the UK that have a branch or ‘establishment’, in the UK. If you do not have an ‘establishment’ in the UK and the ICO is not your regulatory body, then this code of conduct does not apply. However, in this situation, it may still apply if you are offering services to/or monitoring the behaviour of UK users who are likely to be children.
It does not apply to websites or apps which provide online counselling or other preventive services (such as health screenings or check-ups) to children. Online services provided by a police force or other competent authority for law enforcement purposes are also exempt.
(Please note that for General health, fitness or well-being apps or services, the code does apply.)
What is in the proposed code?
The proposed code consists of sixteen standards which are noted below. Full guidance on these can be found here, they include very reasonable requirements such as setting defaults to ‘high privacy’, having geolocation services turned off by default and not using nudge techniques which are designed to encourage longer usage or weaken privacy settings.
- Best interests of the child
- Age-appropriate application
- Detrimental use of data
- Policies and community standards
- Default settings
- Data minimisation
- Data sharing
- Parental controls
- Nudge techniques
- Connected toys and devices
- Online tools
- Data protection impact assessments: Undertake a DPIA specifically to assess and mitigate risks to children who are likely to access your service, taking into account differing ages, capacities and development needs. Ensure that your DPIA builds in compliance with this code.
- Governance and accountability: Ensure you have policies and procedures in place which demonstrate how you comply with data protection obligations, including data protection training for all staff involved in the design and development of online services likely to be accessed by children. Ensure that your policies, procedures and terms of service demonstrate compliance with the provisions of this code.
Where to start with Age Appropriate Design?
You’ll see I’ve included the full description for standards 15 and 16 above. Whilst the code in its entirety is yet to be confirmed, your time would not be wasted if you started with creating your Data Protection Impact Assessment and setting out your policies and procedures as part of the ‘Governance and accountability’ standard. This will form the backbone of all the other sections that you will need to adhere to anyway.
Under the GDPR, the collection and processing of personal data of children, where it is intended for marketing purposes, profiling or other automated decision-making, or for offering online services directly to children, is classed as ‘High risk’. As such it is a legal obligation to carry out a DPIA. This is a process you undertake when starting or making changes to a project or process involving personal data that could present a high risk to data subjects. It involves the assessment of the risks and identification of measures to reduce these risks.
Carrying out a DPIA also helps demonstrate compliance with Article 25 of GDPR which requires data protection by design and default. This process ensures data protection compliance and risk management are incorporated from the planning onwards and not backward engineered into a new product, service or activity.
Crafting your policies and procedures will set the tone for your staff and enable you to train everyone involved with the provision of your service.
We’ll have to wait for the release of the code this November for firm details, however, if you are an ISS, if you’re are preparing yourself for this code and need help determining whether you are required to comply or if you need help with a DPIA or crafting policies and procedures, we can help. Contact us for a friendly chat.