In April, the Information Commissioner’s Office (ICO) issued for consultation a draft code of practice for online services likely to be accessed by UK children (under 18). Importantly, the code isn’t restricted to sites specifically aimed at children.
If and when the code is implemented, it won’t just be “guidance”. It’s a statutory code, which fleshes out relevant principles in the Data Protection Act 2018 and the “GDPR”. The ICO and the courts are likely to take it into account when assessing children-related privacy compliance by websites and apps. And we all know how sensitive this issue has now become.
Perhaps the key “take home” here is that you can’t comply with these standards by simply stuffing extra wording into your privacy policy. The clue is in the code title: “Age appropriate design…” Many of the requirements will impact on the design of your website or app. Obviously it’s better to incorporate these into your web or app design process as early as possible. Rather than waiting to start the “legals” until your project is close to completion, as usually happens.
So, what’s in the draft code? 122 pages, that’s what! Fortunately, this website loves bullet points and so we’ve selected some brief highlights for you:
- Consider children’s best interests, e.g., minimise risks of exploitation.
- Tailor your service to the appropriate children’s age ranges.
- Apply the code to all users unless you have an effective age verification system to work out who are children.
- Privacy language and terms must be short, prominent and clear including additional bite-sized explanations at key points.
- Enforce your terms and policies.
- Don’t use children’s personal information contrary to advertising etc codes or otherwise in a detrimental way, e.g, be careful about using “sticky” features to retain children’s engagement.
- Generally, privacy settings must default to the highest level.
- Collect the minimum children’s personal information you need.
- Don’t share it without a very good reason.
- Geolocation options should default to “off” unless there is compelling reason otherwise. Make it very clear to children when location tracking is on. If others can see the child’s location, default to off after each session.
- Give children appropriate information about parental controls and monitoring.
- Be very careful about profiling children.
- Make tools readily available for children to exercise their data protection rights and report concerns.
- Carry out a “data protection impact assessment” early in your design process.
- Have polices and procedures which demonstrate your compliance with data protection requirements.
Here is the full code.
See here for more guidance from Adlex about privacy and the GDPR.
