With everything that’s been going on over the past 18 months including Brexit and a pandemic, you wouldn’t be to blame if you hadn’t noticed a new piece of legislation being passed, but on the 2nd September 2020 the Children’s Code came into force, and it’s kind of a big deal.
The Children’s Code (formally known as the Age Appropriate Design Code) is part of the Data Protection Act 2018 which recognises new standards that must be followed by all businesses to help protect children online.
From 2nd September 2020, the Information Commissioners Office (ICO) has allowed a 12-month transition period, and we are here to help you understand what you must do to comply!
So, what actually is The Childrens Code?
When a young person visits an app, online computer game or a website, their data can be gathered, which could include information about who exactly is using the service, how frequently they use it and where they are located. This data can be used to tailor the advertisements they see, affect the content they are encouraged to engage with or to persuade them to spend more time using services.
The children’s code aims to ensure that children have an automatic baseline of personal data protection whilst online.
These may seem obvious right? Unfortunately, no.
Many online services may not even realise they’re collecting children’s data and this can be dangerous for their safety. Geo-locations, sharing data or even having designs and content that could be aimed for young adults can all result in non-compliance. Children can be easily persuaded which makes them vulnerable on the internet, and the Children’s Code ensures they have a safe space to explore the internet.
Now, here’s the moment you’ve all been waiting for…
The 15 Code Standards
As quoted from the ICO, the 15 standards are as follows:
- Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
- Data protection impact assessments: Undertake a Data protection impact assessment (DPIA) and mitigate risks to the rights and freedoms of children who are likely to access your service, which arise from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code.
- Age-appropriate application: Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing or apply the standards in this code to all your users instead.
- Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.
- Detrimental use of data: Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
- Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
- Default settings: Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
- Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
- Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
- Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). Provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.
- Parental controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.
- Profiling: Switch options which use profiling ‘off’ by default (unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
- Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
- Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable conformance to this code.
- Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
What does this mean for your business?
Any website, app, or digital service with users or operations in the UK will now have to consider the best interests of a child when designing their services.
The concept of the Children’s Code is essentially ‘risk based’. This means if you think your website will be visited by a young person, then you must comply fully. If you don’t think it will, then you might not need to do as much.
According to the data protection consultancy; The Data Protection Network, you should think carefully and be prepared to justify non-compliance if you feel that the code does not apply to you. The considerations include:
- Is the possibility of a child accessing the service more likely than unlikely?
- Do you have security and privacy measures in place to prevent children accessing an adult only service?
- Does the content or general nature of the service seem slightly appealing to children, even if it’s not intended for you? (Remember, this includes 16 and 17 years old)?
Sounds risky, right?
Guidance from the ICO states that employees or agencies who are responsible for designing, developing or offering online services such as apps, social media platforms, online games, educational websites or streaming services that use, analyse and profile children’s data, will have to comply to this code.
How young is young?
Now, you may be thinking your website isn’t going to be read by a young child under the age of 12. However, the code is applied to any services which may be accesses by any young person aged under 18, as the code has adopted the UN Convention of the Right of the Child (UNICEF).
We understand the age of consent is 13, but this should not be seen as the same. Children and their guardians can choose to change the default setting, but the code makes sure they initially get the right information, guidance, and advice before they do so, along with proper protection and information on how their data will then be used.
Example of non-compliance: Age of Learning, INC
On September 3rd 2020 (ironically the day after the new legislation came into force), the US Federal Trade Commission (FTC) announced a settlement towards a Children’s Online Learning Program ABCmouse, operated by Age of Learning, Inc. The membership-based online learning tool is aimed towards children between two and eight years old and can access the tool via the company’s website or mobile app. via the company’s website or mobile app.
The FTC stated that Age of Learning, Inc made misrepresentations about their consumer subscriptions, resulting in unclear instructions for parents and misinformed them that their subscriptions would renew automatically. The company then made it very difficult for users to cancel. In the document from FTC, the organisation had violated three of The Children’s Code regulations, and has now paid a fine of $10 million dollars, along with updating their regulations.
What regulations were violated?
- Transparency (Standard 4)
The policies regarding the membership and cancellation procedures were not explained clearly.
- Policies and Community Standards (Standard 6)
The organisation stated many times, that their memberships policy holds an “Easy Cancellation”, which it did not.
- Nudge Techniques (Standard 13)
The company had used terms such as “free,” “trial,” “sample,” “no obligation,”, the company is nudging the user towards when must take action to avoid future charges.
Toolkit for organisations
To help you prepare for the time that they begin enforcing The Children’s Code, the ICO has created a Toolkit as a starting point for complying to the new legislation.
For many, complying with The Children’s Code might not be too complicated. If you’re already anonymising data and you have a properly functioning cookie banner on your website, then you may be half way there. The Toolkit can help you to achieve the remaining tasks.
As a Digital Agency, we strongly recommend that businesses take advantage of the toolkit, which will ask you a series of questions regarding lawfulness, the data protection principles, subject data rights and accountability and governance. Once complete, the toolkit will produce a report containing tailored advice for your data analytics project and practical actions your business can take to help you improve your data protection compliance.
The ICO has indicated it will investigate and take action if there are concerns about how children’s data is being used, or from complaints made by parents, teachers, guardians or children. Any non-compliance with the Code carries a risk of reputational damage or financial action if complaints are made.
While the code will bring a number of new challenges, now is the best time for your business to assess your compliance and implement the necessary changes. Let our team help support you with your company’s data protection needs.