Age Appropriate Code of Practice Comes Into Force

14 September, 2020
generic image

On 2nd September, the new Age Appropriate Code of Practice for online services came into force, with a 12 month transitionary period for organisations to put it into effect. 

This code of practice is specifically aimed at how online services provide security and privacy for children. 1 in 5 internet users in the UK is a child, so this is clearly a really important topic to address. 

The code builds on GDPR, with 15 flexible standards to build in protection for children. It provides practical guidance to safeguard childrens’ personal data. This affects apps, games and websites; as well as social media platforms and connected toys. 

The Information Commissioner's Office (ICO) are wanting developers and designers to make these standards part of their everyday approach to digital work. They are developing a support package to assist the industry transition over the next 12 months.

They already have some resources on their site to help organisations get started.

What websites are affected by this?

Any UK website that is likely to be accessed by children is affected, so this includes news and education service websites. 

It also affects websites for museums, attractions and places of interest, plus sites that would be visited by children for homework or hobbies.

Unless your site is already restricted by age (such as gambling or alcohol sites), there is some chance it is, or could be used by children.

Is my site collecting user data?

If you don’t know the answer to this question then it’s a good time to find out.

If your site has no analytics running on it, no third party scripts or embed (not even a Google map), and no forms, then it’s possible you’re not collecting any data at all.

That’s just not how websites are set up these days though. Most have various tracking codes in place from a Facebook pixel for remarketing, Google Tag Manager event tracking for custom actions or ecommerce - all of which are collecting some form of data. 

These should all be detailed in your site cookie policy so that users are aware and can alter their browser settings to turn them on or off.

If you have a form on your site, even a newsletter sign up, then you are definitely collecting user data and how you handle this should all be covered in your privacy policy.

Do I need a new privacy policy just for children?

You shouldn’t need a separate privacy policy, but you may need to reword yours to make sure it’s suitable for all users. This will be easier to keep updated going forward as well. It’s worth checking how understandable your privacy policy is for adults - because if they don’t get it then it should be re-written anyway. 

The Campaign for Plain English works towards removing jargon and making information easy to read and understand for everyone. Working with them or a good copywriter will help you get your policies much more user friendly.

What do I need to do?

You will need to carry out a Data Protection Impact Assessment (DPIA) if there is a chance of high risk, but if you’re looking at starting a new site that involves user data it’s something you should seriously consider anyway.

The ICO have some checklists you can use to help you decide if you need to carry out the assessment or not, and an assessment template Word document for when you do need to go ahead.

Like any risk assessment, this is a case of planning and documenting, and taking it one step at a time.

The 15 standards of the code of practice

The 15 standards of the code of practice in summary are:

  1. The best interests of the child should be the primary consideration of design and development 
  2. Data protection impact assessments, these should be carried out to assess the risks to children in relation to data privacy.
  3. Age appropriate application, either the digital offering needs to be suitable for all ages in relation to data privacy, or it needs to be age appropriate for the user.
  4. Transparency, privacy information needs to be presented in a clear and understandable manner for the age of the user, and “bite-sized” information should be displayed at the point of activation of a data feature.
  5. Detrimental use of data. Children’s personal data must not be used in a manner that can harm their wellbeing.
  6. Policies & community standards published on your site/app must be upheld (e.g. your privacy policy).
  7. Default settings must be “high privacy” as standard.
  8. Data minimisation. Collect and use the least amount of data needed to operate the service, and make sure the user understands and consents to allowing more data to be collected and what it will be used for.
  9. Data sharing. Children’s data must not be disclosed unless there is a serious and compelling reason to do so (and it’s in the best interests of the child).
  10. Geolocation should be OFF by default, and when turned on it must be obvious to the user that location tracking is taking place. At the end of each session any tracking visible to others must be returned to the OFF setting.
  11. Parental controls, if you provide these in your digital offering then there should be age appropriate information about these presented to the child user.
  12. Profiling should be OFF by default, and should only be turned on if the child user will be protected from harmful effects.
  13. Nudge techniques must not be used to encourage children to provide personal data or to weaken their privacy settings.
  14. Connected toys & devices must conform to the code.
  15. Online tools must provide prominent, accessible tools to help children exercise their data protection rights and be able to report their concerns.

Full details of each standard can be found on the ICO website in the side menu.

What happens if I don’t comply?

The ICO will be regulating the code of practice, and will consider how much effort an organisation has made to comply (if they don’t fully). They will be focusing on any complaints from parents, carers, teachers and children and with high risk situations as a priority. Penalties may include fines up to 4% of global turnover. They are keen for businesses to work with their guidance and support to make their digital offerings safe.

Written by Becky

As our longest-serving Project Manager, Becky continues to put her vast experience to use for Evoluted’s clients. Having worked within the digital industry for more than 18 years, Becky’s history includes time with The University of Derby and a technical publications firm. Across the roles she’s worked, she’s developed impressive knowledge surrounding accessibility, programming and design.

Up next…
Public Sector Websites Face Accessibility Statement Deadline
27 August, 2020


Leave a comment

Replying to: - Cancel