Are You Ready for the Children's Code?

This data protection code of practice for online services came into practice on September 2nd 2020 with a 12 month transition period

(This article combines information from the last three issues of Compliance Matters)

The Children’s Code (or to give its formal title, the Age Appropriate Design Code) came into force on 2 September 2020 with a 12-month transition period to give organisations time to prepare. It’s a data protection code of practice for online services, such as apps, online games, and web and social media sites, likely to be accessed by children.

Following research by the Information Commissioner’s Office (ICO), it was revealed that three quarters of businesses surveyed are aware of the Children’s Code. Their survey of 500 services and businesses showed that they are still in the preparation stages.

Details of the code were first published in June 2018 and UK Parliament approved it last year. Organisations should conform by 2 September 2021.

Who does the code apply to?

The Children's Code is applicable to anyone who provides "information society services likely to be accessed by children”. This means that most "for profit" information society services (or ISS) will be covered. These services include:

  • Apps;
  • Programs;
  • Search engines;
  • Social media platforms;
  • Online messaging or internet based voice telephony services;
  • Online marketplaces;
  • Content streaming services (e.g. video, music or gaming services);
  • Online games;
  • News or educational websites; and
  • Any websites offering other goods or services to users over the internet. Electronic services for controlling connected toys and other connected devices are also ISS.

Detrimental use of data

Standard 5 of the Children’s code – Detrimental use of data – says that information society services should not “use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or Government advice.”

The Children’s code, states that ISS should “keep up to date with relevant recommendations and advice and not process children’s personal data in ways that are obviously detrimental or run counter to such advice.”

Risk and Harms Framework

There are many ways that children’s data online can create risk and potentially lead to harm. The ICO’s AADC Harms Framework indicates that the key harms that are likely to arise for children online include:

  • Loss of time: data-enabled service personalisation leads to excessive engagement. For example using reward loops, continuous scrolling, notifications and auto-play features;
  • Cognitive and emotional development impeded: profiling and targeted advertising promotes content that impedes cognitive development;
  • Promotion of unsafe or age-inappropriate products: targeted advertising promotes demonstrably unsafe or age-inappropriate products and services eg gambling, tobacco, alcohol, films, games aimed at adults;
  • Financial loss: profiling and targeted ads are used to promote in-service purchases by children, where children may not have the capacity or economic literacy to understand the implications;
  • Grooming and radicalisation: ineffective age-assurance allows malicious actors to access online communities for children;
  • Sharing personal information without valid reason: personal data of child users is shared with third parties against the best interest of the child;
  • Algorithmic bias and discrimination in automated decision-making: automated decision-making (for example relating to age assurance) unfairly restricts access to services, or aspects of services, for children;
  • Loss of social standing and interpersonal conflict: children's data shared with other users and social groups without consent, or set to on-by-default;
  • Suppression or moderation of cultural expression: users online cultural expression is moderated not in accordance with policies and community standards;
  • Lack of institutional accountability: online services fail to adhere to terms and conditions and community policies; avenues of redress for data rights are not available or accessible to users; and
  • Service lock-in: online services terms and conditions relating to personal data mislead or are too complex for children to understand, leading them to remain using the service.

Elizabeth Denham on The Children's Code

The Information Commissioner, Elizabeth Denham made a statement when the ICC was first launched which clearly laid out what the code entailed and why it has had to be put in place. She said:

"For all the benefits the digital economy can offer children, we are not currently creating a safe space for them to learn, explore and play."

"Our recent national survey into people’s biggest data protection concerns ranked children’s privacy second only to cyber security. This mirrors similar sentiments in research by Ofcom and the London School of Economics."

"Developers and those in the digital sector must act. We have allowed the maximum transition period of 12 months and will continue working with the industry."

"A generation from now, I believe we will look back and find it peculiar that online services weren’t always designed with children in mind." -Elizabeth Denham CBE

What does The Children's Code do?

The Children’s Code sets out 15 standards that organisations must meet to ensure that children’s data is protected online. This code applies to all the major online services used by children in the UK and will help to minimise data collection and use and provide default settings, ensuring that children have the best possible access to online services.

The 15 standards

1. Best interests of the child: These should be a primary consideration when you create online services which are likely to be accessed by a child. 2. Data protection impact assessments: A Data Protection Impact Assessment (DPIA) should be undertaken to analyse the risks to the rights and freedoms of children who are likely to access your service. Differing ages, capacities and development needs should be taken into consideration, ensuring that your DPIA builds in compliance with this code. 3. Age appropriate application: A risk-based approach must be taken to recognise the age of every user. You should apply the standards in this code to child users by establishing age with a level of certainty that is appropriate to the rights and freedoms of children that arise from your data processing. Alternatively, apply the standards in this code to all your users instead. 4. Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be clear, concise and suited to the age of the child. You should provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated. 5. Detrimental use of data: Children’s personal data should not be used in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.

If an online service is likely to be accessed by children under the age of 18, then it is probably covered by the code, even if those children aren't the target market. This means that changes may be necessary to how services are designed and how personal data is processed, to ensure that they conform with the code. The code applies to both UK and non-UK companies.

6. Policies and community standards: Businesses and organiations must uphold their own published terms, policies and community standards (including but not limited to behaviour rules, privacy policies, age restriction, and content policies). 7. Default settings: Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child). 8. Data minimisation: Only the minimum amount of personal data should be collected and retained. Children should be given separate choices over which elements they wish to activate. 9. Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child. 10. Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). An obvious sign for children must be provided when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.

11. Parental controls: If parental controls are provided, the child should be given age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored. 12. Profiling: Switch options which use profiling ‘off’ by default (unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child). Profiling should only be allowed if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing). 13. Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections. 14. Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable conformance to this code. 15. Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.

More advice, resources and guidance are available here: ICO: Children's Code Hub The NSPCC Childline UK Internet Safety Council 5Rights The Children's Commissioner Tech UK