ICO launches consultation on Code of Practice to help protect children online

ICO logo - Information Commissioner's Office - GDPR
01May, 2019

Last month the Information Commissioner’s Office opened consultation on 16 standards that online services must meet to protect children’s privacy in.

Age appropriate design: a code of practice for online services sets out the standards expected of those responsible for designing, developing or providing online services likely to be accessed by children and which process their data.

When finalised, it will be the first of its kind and become an international benchmark.

Elizabeth Denham, Information Commissioner, said:

“This is the connected generation. The internet and all its wonders are hardwired into their everyday lives. We shouldn’t have to prevent our children from being able to use it, but we must demand that they are protected when they do. This code does that.”

Introduced by the Data Protection Act 2018, the draft code sets out 16 standards of age appropriate design for online services like apps, connected toys, social media platforms, online games, educational websites and streaming services. It is not restricted to services specifically directed at children.

The draft code says that the best interests of the child should be a primary consideration when designing and developing online services. It says that privacy must be built in and not bolted on.

Settings must be “high privacy” by default (unless there’s a compelling reason not to); only the minimum amount of personal data should be collected and retained; children’s data should not usually be shared; and geolocation services should be switched off by default in most circumstances. So-called “nudge techniques” should not be used to encourage children to provide unnecessary personal data, to weaken their privacy settings or carry on using the service longer than they had intended. It also addresses issues of parental control and profiling.

Ms Denham said:

“The ICO’s Code of Practice is a significant step, but it’s just part of the solution to online harms. We see our work as complementary to the current focus on online harms, and look forward to participating in discussions regarding the Government’s white paper.”

The code gives practical guidance on data protection safeguards that ensure online services are appropriate for use by children. It leaves online service providers in no doubt about what is expected of them when it comes to looking after children’s personal data. It helps create an open, transparent and safer place for children to play, explore and learn online.

The standards in the code are rooted in existing data protection laws that are regulated by the ICO. Organisations should follow the code and demonstrate that their services use children’s data fairly and in compliance with data protection law. Those that don’t, could face enforcement action including fines of up to £17 million or 4% of global turnover or orders to stop processing data.

Baroness Kidron, who led the parliamentary debate about the creation of the code, said:

“I welcome the draft code released today which represents the beginning of a new deal between children and the tech sector.

“For too long we have failed to recognise children’s rights and needs online, with tragic outcomes.

“I firmly believe in the power of technology to transform lives, be a force for good and rise to the challenge of promoting the rights and safety of our children. But in order to fulfil that role it must consider the best interests of children, not simply its own commercial interests. That is what the code will require online services to do. This is a systemic change.”

The code is out for consultation until 31 May. The final version will be laid before Parliament and is expected to come into effect before the end of the year.

The code was informed by initial views and evidence gathered from designers, app developers, academics and civil society. You can read the responses here.

The ICO also sought views from parents and children by working with research company Revealing Reality. The findings from that work have been published for the first time.