The Information Commissioner’s Office (ICO) has confirmed that by November 23, 2019, it will present its Age Appropriate Design Code of Practice to the UK Parliament for approval. Unless Parliament objects, this mandatory code will be issued and in force (albeit with a transition period) as early as January 2020.
The final code has been hotly anticipated since the call for input on the issue of age appropriate design in June 2018. Since then, the ICO has worked with a large number of stakeholders to understand the key challenges when designing child-accessible services. In that context, it published its draft iteration of the code for consultation earlier this year (the Draft Code). This Draft Code sets out 16 standards (the Standards) which must be followed when designing online services accessible to children under 18. In an August update, the ICO recognized that the code will cause shifts in the design processes for online services which make use of children’s data, such as the tech, e-gaming and interactive entertainment industries. In light of this the ICO, as well as providing clearer guidelines in the code itself, will provide additional guidance for designers and engineers. The ICO adds, however, that non-compliance is not an option, stressing that “[t]here is no room for companies who decide children’s privacy is a problem that’s simply too hard to solve.”
This blog post revisits the key requirements of the Draft Code, and sets out the next steps for organizations that are in scope.
Scope of the Draft Code
The Draft Code applies to any online products or services that process personal data and are likely to be accessed by children (anyone under the age of 18), including applications, websites, search engines, community environments, programs, games, and connected toys or devices. The scope of the Draft Code is unlikely to change, and it will create significant new obligations for services that are not specifically designed for children and have never had to take children into account. Although the Draft Code applies to UK-based companies and non UK-based companies otherwise offering services in the UK, the ICO has made it clear that it expects the final version to become an international benchmark.
The Draft Code focuses on how companies can effectively design online services that meet the principles of the EU’s General Data Protection Regulation 2018 (the GDPR). The Draft Code does not address the question of how and when (parental) consent is required or in which situations companies can rely on their legitimate interest to process personal data relating to children.
The key takeaways from the Draft Code are:
- Age ranges—Many of the Standards are built on the requirement to provide online services in an age-appropriate manner, which means that they need to be tailored to different age groups. As a guide, the Draft Code identifies five age groups within the broader children category: 0 to 5, 6 to 9, 10 to 12, 13 to 15, and 16 to 17. For example, privacy policies and notices should be tailored to each age range specifically, and the best interests and well-being of each age range should be considered. Companies who do not know the relevant age range of their users must apply the Standards to all. What this means in practice is not clear but perhaps the final code will provide more clarity. Furthermore, unless a company can clearly demonstrate that its user base likely only consists of adults, the Draft Code recommends that the Standards be applied to all users by default, with adults able to opt out of the specifically designed app or service via robust age-verification. Again, how this recommendation can practically be implemented is unclear and it remains to be seen whether the final code will provide more concrete guidance.
- Strict default privacy settings—Settings for children must be set to high privacy by default. Data use should be limited to that which is essential for the provision of the online service unless i) a child chooses otherwise, or ii) the service provider can demonstrate a compelling reason while taking into account the best interests of the child. Highlighted data minimization measures include limiting sharing of data with third parties (e.g., for advertising purposes), turning geolocation options off, providing a clear sign when a user is being tracked, and turning off profiling. Separate privacy settings for each element of the foregoing should be provided, and turned off by default, with age-appropriate just-in-time notices provided prior to the child turning them on. Furthermore, companies should not exploit unconscious psychological processes, for example by using certain colors or imagery, to “nudge” children to opt in or consent to lower privacy options.
- Parental controls—Parental controls should be built-in, allowing parents or guardians to place limits on a child’s use of the online services if this is appropriate. The Draft Code gives examples of tools to set time limits on the service, including purchases. These can help protect the child’s best interests, but may impact the child’s right to privacy. To counter this, the Draft Code recommends the display of a clear symbol when such a parental tool is active.
Await the final code—We will not know the content of the final code until it is issued in the coming weeks. Although we can expect some clarity to be provided, it is not expected that the main substance will change.
There will be a transition period—The ICO assures companies that they will have time to implement the standards and ensure they are complying with the law. The exact transition time still needs to be decided but will be maximum one year after its approval.
Preparing—Companies that may be impacted by the Code should undertake an analysis as to whether their services require design changes. To avoid making design changes, companies will have to have documentary evidence based on market trends and existing demographics that such changes are not necessary. Companies that are in scope should begin to manage internal expectations regarding potential product and policy changes. It would, however, be prudent to wait until the final code is published before making seismic changes.