Who: The ICO and information society service providers.
Where: United Kingdom
When: 15 April 2019
Law stated as at: 1 May 2019
What happened:
The Information Commissioner, as required by section 123 of the Data Protection Act, published its consultation document – Age appropriate design: a code of practice for online services (the “Code“) – which was open for public comment until 31 May 2019.
Once finalised, the intention is that the Code will form a minimum standard to be followed by providers of information society services (ISS) who provide online products or services (which includes apps, programs, websites, games, community environments, connected toys or devices) which process personal data and are likely to be accessed by children.
The Code sets out 16 standards of age-appropriate design for anyone who is caught by the Code, dealing with:
- best interests of the child;
- age-appropriate application;
- transparency;
- detrimental use of data;
- policies and community standard;
- default settings;
- data minimisation;
- data sharing;
- geo-location;
- parental controls;
- profiling;
- nudging techniques;
- connected toys and devices;
- online tools;
- data protection impact assessments; and
- governance and accountability.
While there are suggestions and tips within each section, there are some specific, practical standards which warrant highlighting in particular:
Nudging techniques
Nudging techniques are design features which encourage a user to follow a designer’s preferred path. Think of a “consent” box with a large, green “yes” button, and a far smaller, transparent “no” button, or describing a desirable feature such as personalised content as something which makes the service work properly.
The Code suggests that nudging techniques must not be used to lead children to share more personal data, or make poor privacy decisions. Further, pro-privacy nudging techniques should be considered in the best interests of the child and therefore employed.
Default settings
The Code states that the default position for children’s individual privacy settings should be “high privacy”. So, by default, you should not collect more data than is needed for each individual element of the service, or make data more widely available to other users.
Geolocation
Where a service indicates a location of the device (such as local Wi-Fi connection or GPS data), this feature should be switched off by default, and it should be made obvious to the child when their location is being tracked.
The Code clearly demonstrates a thorough approach to protecting children from harm online. As the Commissioner suggests “the answer is not to protect children from the digital world, but to protect them within it“. However, for businesses whose target market is, or is likely to include, children, a review of the user experience and design features to ensure compliance with the Code will be essential.
Why this matters:
The impacts of the Code go hand-in-hand with the GDPR’s requirement that data controllers implement appropriate measures to ensuring that, by default, only necessary personal data is collected for each purpose. Once finalised, businesses will need to review their user-journey to ensure that their service is compliant with the Code.