ICO launches consultation on age-appropriate design for digital services

April 14, 2019

The Information Commissioner has launched a consultation on a draft code of practice on age appropriate design. The consultation ends on 31 May 2019.

The draft code of practice is a statutory code of practice prepared under section 123 of the Data Protection Act 2018. The final version will be laid before Parliament and is expected to come into effect before the end of 2019.

To inform the code’s development, a report was commissioned by the ICO to explore the views of parents, carers and children on a range of issues suggested by the government as areas for inclusion in the code.  The report has been published alongside the code.

The code contains a summary listing 16 headline ‘standards of age-appropriate design’ for services like apps, connected toys, social media platforms, online games, educational websites and streaming services. It is not restricted to services specifically directed at children.  The standards include areas such as transparency, parental controls, online tools and geolocation, among others.

The main body of the code is then divided into 16 sections, each giving more detailed guidance on what the standard means, why it is important, and how organisations can implement it in practice. It focuses on specific safeguards to ensure a service is appropriate for children who are likely to access it, so that personal information is processed fairly. It is not intended as an exhaustive guide to data protection compliance and does not elaborate on organisations’ obligations on security, processors or breach reporting.

The draft code says that the best interests of the child should be a primary consideration when designing and developing online services. It says that privacy must be built in and not bolted on.

Settings must be “high privacy” by default (unless there is a compelling reason not to); only the minimum amount of personal data should be collected and retained; children’s data should not usually be shared; and geolocation services should be switched off by default in most circumstances. 

So-called “nudge techniques” should not be used to encourage children to provide unnecessary personal data, to weaken their privacy settings or carry on using the service longer than they had intended. An example of this would be having a “yes” button to share data which was much larger than the “no thanks” button. The code also addresses issues of parental control and profiling.

The code gives practical guidance on data protection safeguards that ensure online services are appropriate for use by children. The aim is that online service providers are left in no doubt about what is expected of them when it comes to looking after children’s personal data. It further aims to help create an open, transparent and safer place for children to play, explore and learn online.

The standards in the code are based on existing data protection laws that are regulated by the ICO. Organisations should follow the code and demonstrate that their services use children’s data fairly and in compliance with data protection law. Organisation that do not could face enforcement action including fines of up to £17million or 4% of global turnover or orders to stop processing data.