NEWS22 January 2020

Children’s online privacy code of practice published

GDPR Leisure & Arts Media Mobile News Privacy Technology UK Youth

UK – The Information Commissioner’s Office has set out 15 privacy standards that companies designing online services should meet to safeguard children’s online privacy.

Child gaming tech computer_crop

The ‘age appropriate design code' will apply to online products or services that are likely to be accessed by children and process personal data, including apps, programmes, websites, games, community environments, and connected toys or devices. It is not restricted to services aimed specifically at children.

Under the new standards, digital services will be required to automatically set ‘high’ privacy settings – and not use nudge techniques to encourage children to reduce such settings.

The code also states that geolocation settings should be switched off by default, while data collection, retention and sharing should be minimised. Profiling should also be off by default, unless companies can give a ‘compelling’ reason otherwise and have measures in place to protect the child.

The code is based on the principles of the General Data Protection Regulation (GDPR) and must complete a statutory process before it is laid before parliament.

After the code is approved by parliament, organisations will have 12 months to update their practices before it comes into full effect, which is expected to be before autumn 2021.

Elizabeth Denham, information commissioner, said: "Personal data often drives the content that our children are exposed to – what they like, what they search for, when they log on and off and even how they are feeling.

"In an age when children learn how to use an iPad before they ride a bike, it is right that organisations designing and developing online services do so with the best interests of children in mind. Children’s privacy must not be traded in the chase for profit."

The draft version of the code – which went out for consultation in April 2019 – was informed by views and evidence from designers, app developers, academics, and findings from research with parents and children conducted by Revealing Reality.

As a result of the consultation, the ICO made changes including:

  • Clarifying the need for a risk-based and proportionate approach to age verification
  • Clarifying what services the code applies to
  • Clarifying its approach to enforcement
  • Adding ‘frequently asked questions’ specific to the media industry
  • Allowing a 12-month transition period, which is the maximum permitted