On 12 April 2019 the Information Commissioner’s Office opened the consultation on 16 standards concerning the protection of children’s privacy that online services must meet.
The draft of the code was first introduced by the Data Protection Act 2018, now named “Age appropriate design: a code of practice for online services” it sets out the standards expected of those responsible for designing, developing or providing online services that are likely to be accessed by children and which process their data. The online services outlined by the guidance include apps, connected toys, social media platforms, online games, educational websites and streaming services and are not restricted to services specifically directed at children.
The guidance will be the first of it’s kind and will make the best interests of the child as a primary consideration when designing and developing online services. The main issues addressed by the guidance include:
- “High privacy” settings by default (unless there’s a compelling reason not to);
- Collection and retention of only the minimum amount of personal data;
- Restrictions on sharing children’s data;
- Turning-off geolocation by default;
- The restrictions on “nudge techniques” that would encourage children to provide unnecessary personal data, to weaken their privacy settings or carry on using the service longer than they had intended;
- Parental control and profiling;
- Data protection safeguards.
When finished the code should leave online service providers with no doubt about what is expected of them when it comes to looking after children’s personal data. It helps that these standards are rooted in existing data protection laws that are regulated by the ICO. Organisations that fail to show compliance with the standards could face enforcement action including fines of up to £17million or 4% of global turnover or orders to stop processing data.
The code will be out for consultation until 31 May 2019 and the final version is expected to come into effect before the end of the year.