Age Appropriate Code of Practice Comes Into Force
On 2nd September, the new Age Appropriate Code of Practice for online services came into force, with a 12 month transitionary period for organisations to put it into effect.
This code of practice is specifically aimed at how online services provide security and privacy for children. 1 in 5 internet users in the UK is a child, so this is clearly a really important topic to address.
The code builds on GDPR, with 15 flexible standards to build in protection for children. It provides practical guidance to safeguard childrens’ personal data. This affects apps, games and websites; as well as social media platforms and connected toys.
The Information Commissioner's Office (ICO) are wanting developers and designers to make these standards part of their everyday approach to digital work. They are developing a support package to assist the industry transition over the next 12 months.
They already have some resources on their site to help organisations get started.
What websites are affected by this?
Any UK website that is likely to be accessed by children is affected, so this includes news and education service websites.
It also affects websites for museums, attractions and places of interest, plus sites that would be visited by children for homework or hobbies.
Unless your site is already restricted by age (such as gambling or alcohol sites), there is some chance it is, or could be used by children.
Is my site collecting user data?
If you don’t know the answer to this question then it’s a good time to find out.
If your site has no analytics running on it, no third party scripts or embed (not even a Google map), and no forms, then it’s possible you’re not collecting any data at all.
That’s just not how websites are set up these days though. Most have various tracking codes in place from a Facebook pixel for remarketing, Google Tag Manager event tracking for custom actions or ecommerce - all of which are collecting some form of data.
The Campaign for Plain English works towards removing jargon and making information easy to read and understand for everyone. Working with them or a good copywriter will help you get your policies much more user friendly.
What do I need to do?
You will need to carry out a Data Protection Impact Assessment (DPIA) if there is a chance of high risk, but if you’re looking at starting a new site that involves user data it’s something you should seriously consider anyway.
The ICO have some checklists you can use to help you decide if you need to carry out the assessment or not, and an assessment template Word document for when you do need to go ahead.
Like any risk assessment, this is a case of planning and documenting, and taking it one step at a time.
The 15 standards of the code of practice
The 15 standards of the code of practice in summary are:
- The best interests of the child should be the primary consideration of design and development
- Data protection impact assessments, these should be carried out to assess the risks to children in relation to data privacy.
- Age appropriate application, either the digital offering needs to be suitable for all ages in relation to data privacy, or it needs to be age appropriate for the user.
- Transparency, privacy information needs to be presented in a clear and understandable manner for the age of the user, and “bite-sized” information should be displayed at the point of activation of a data feature.
- Detrimental use of data. Children’s personal data must not be used in a manner that can harm their wellbeing.
- Default settings must be “high privacy” as standard.
- Data minimisation. Collect and use the least amount of data needed to operate the service, and make sure the user understands and consents to allowing more data to be collected and what it will be used for.
- Data sharing. Children’s data must not be disclosed unless there is a serious and compelling reason to do so (and it’s in the best interests of the child).
- Geolocation should be OFF by default, and when turned on it must be obvious to the user that location tracking is taking place. At the end of each session any tracking visible to others must be returned to the OFF setting.
- Parental controls, if you provide these in your digital offering then there should be age appropriate information about these presented to the child user.
- Profiling should be OFF by default, and should only be turned on if the child user will be protected from harmful effects.
- Nudge techniques must not be used to encourage children to provide personal data or to weaken their privacy settings.
- Connected toys & devices must conform to the code.
- Online tools must provide prominent, accessible tools to help children exercise their data protection rights and be able to report their concerns.
Full details of each standard can be found on the ICO website in the side menu.
What happens if I don’t comply?
The ICO will be regulating the code of practice, and will consider how much effort an organisation has made to comply (if they don’t fully). They will be focusing on any complaints from parents, carers, teachers and children and with high risk situations as a priority. Penalties may include fines up to 4% of global turnover. They are keen for businesses to work with their guidance and support to make their digital offerings safe.