Published: 31 August 2021
Location: London, UK
Whilst not law, the Age Appropriate Design Code laid out by the Secretary of State is expected to be followed and will be a key measure when analysing compliance with data protection laws.
According to a national survey carried out by Ofcom and the London School of Economics, 1 in 5 internet users within the United Kingdom are children; Interacting with a digital world, one which was never intended for them. The ICO states clearly that “This code is necessary. This code will lead to changes that will help empower both adults and children”.
The code consists of 15 key standards which must be followed in order to comply.
Best interests of the child
As the United Nations Convention on the Rights of the Child (UNCRC) writes “In all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration”.
This involves protecting the physical and mental welfare and safety of children at every stage of the digital experience provided.
This doesn’t mean that your commercial goal can’t align with the best interests of the child. In the situation that a conflict does occur, The best interests of the children must take priority.
Data protection impact assessments (DPIA)
This should be thought about in the early stages of planning out your service. The ICO lays out seven steps to assist you.
1) Identify the need for a DPIA
2) Describe the processing
3) Consider consultation
4) Assess necessity and proportionality
5) Identify and assess risks arising from your processing
6) Identify measures to mitigate the risks
7) Sign off, record and integrate outcomes
By following the steps above, you will follow a ‘data protection by design approach. This will ensure all obligations are planned into the service from the beginning and no surprises will occur.
If your service is likely to be accessed by children of a specific age range, then you must ensure the design and data processing is appropriate for the given target audience.
Ensure you are honest and clear, letting your users know what they should expect from your service.
Detrimental use of data
Any use of data that could be considered detrimental to children’s wellbeing or health, be it physical or mental, goes against the code, industry practices and the Government advice on children’s welfare.
Policies and community standards
It is a requirement that all published policies and terms and conditions are followed. This also includes actively enforcing any community rules that are laid out.
Most children will accept the default settings, without reading or understanding them. That means that the default settings must be age-appropriate, following all guidance set out in this code.
This simply means collecting the minimum data required in order to deliver your service. You mustn’t collect more data than you need from children.
Data sharing means that you must disclose data to third parties when required to do so. An example of routine data sharing would be an educational app sharing data with the child’s school.
Geolocation options need to be switched off by default. Geolocation is determining a users location, using device data (GPS, Wi-Fi, etc).
If there are parental controls included in your service, they must be clearly communicated to the child when active. I.e. any monitoring of the session, time limits, etc.
Any form of profiling options using the data provided must be switched off by default. The only case in which profiling can be used is in the case measures are taken to ensure the child is protected from any harmful effects.
A nudge technique is making one option seem more positive than another using many different methods. When designing an age-appropriate service nudge techniques mustn’t be included, unless they are positive for the child’s privacy, wellbeing and health.
Connected toys and devices
Any toys and devices that transfer data over the internet must also follow the steps laid out in this code. Devices containing microphones and video cameras raise many issues as the data collected has the potential to be private and sensitive.
All services targeted towards children need to give the users the mechanisms that allow them to access their personal data, make complaints or exercise any of the rights laid out in GDPR (below)
1) The right of access
2) The right to rectification
3) The right to erasure
4) The right to restrict processing
5) The right to data portability
6) The right to object
7) Rights in relation to automated decision making and profiling
By following this code when designing online services aimed at children, they will be protected and empowered in the digital world. This code is the first of its kind and is now being considered globally, which shows the global shift in attitudes towards the way children are interacting with the current digital world.
Why Media is a reputable design, marketing, digital communications and PR agency offering tailored solutions to companies on a global scale. We have extensive experience in delivering design and marketing services to a spectrum of companies including professional services, property companies, financial institutions and shopping centres.