New standards for online services will help to protect children’s personal data
In our digital age, all parents and guardians worry about whether their children are protected online. In response, the Information Commissioner's Office (ICO) has introduced a new set of standards that all online services must meet to safeguard children's personal data.
Who does the new code apply to?
This code of practice sets out what is expected of those responsible for designing, developing or providing online services likely to be accessed by children. This includes apps, connected toys, social media platforms, online games, educational websites, streaming services, etc.
However, the code is not restricted to services specifically directed at children. It also applies to online services that process the personal and sensitive data of children.
What could happen if these standards are not met?
The code states that the best interests of the child should be a primary consideration when designing and developing online services. Or put simply, that privacy must be built in. Not bolted on.
Once law, online service providers will have to follow the code. They will also have to demonstrate that they use children's data fairly and in compliance with data protection legislation. Those that don't could face a hefty fine and be ordered to stop what they are doing.
Failure to adhere to these standards could also result in data protection compensation claims being made against online service providers.
What are the proposed standards to ensure children's personal data is protected?
There are 16 standards that organisations will be obliged to follow:
- Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child
- Age-appropriate application: Consider the age range of your audience and the needs of children of different ages. Apply the standards in this code to all users, unless you have robust age-verification mechanisms to distinguish adults from children
- Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific 'bite-sized' explanations about how you use personal data at the point that use is activated
- Detrimental use of data: Do not use children's personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice
- Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies)
- Default settings: Settings must be 'high privacy' by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
- Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate
- Data sharing: Do not disclose children's data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child
- Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active. Options which make a child's location visible to others must default back to off at the end of each session
- Parental controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child's online activity or track their location, provide an obvious sign to the child when they are being monitored
- Profiling: Switch options which use profiling off by default (unless you can demonstrate a compelling reason for profiling, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
- Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data, weaken or turn off their privacy protections, or extend their use.
- Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable compliance with this code
- Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns
- Data protection impact assessments: Undertake a DPIA specifically to assess and mitigate risks to children who are likely to access your service, taking into account differing ages, capacities and development needs. Ensure that your DPIA builds in compliance with this code
- Governance and accountability: Ensure you have policies and procedures in place which demonstrate how you comply with data protection obligations, including data protection training for all staff involved in the design and development of online services likely to be accessed by children. Ensure that your policies, procedures and terms of service demonstrate compliance with the provisions of this code.
Age appropriate design
Age appropriate design: a code of practice for online services has been published for consultation. You can read the document in full here. The code is out for consultation until 31 May. The final version will be laid before Parliament. It is expected to come into effect before the end of the year.
Children's personal data must be protected
At Hayes Connor, we want to reduce the number of data violations taking place across the UK. So welcome the new standards.
Alternatively, if you or your child has been the victim of a data breach,contact us to discuss your case in more depth.