The UK Age-Appropriate Design Code, also commonly known as The Child Code, was the first of its kind in the world. While it’s not a new law, it sets standards for how data protection laws apply to children using digital services. And its reach goes far beyond the U.K.
The Child Code has inspired similar laws to be considered in the U.S., Europe, and by the Organization for Economic Co-operation and Development (OECD). Ensuring the protection of children’s data has quickly caught on as a trend in privacy regulators’ minds.
Globally, children access the Internet daily for various reasons, including learning and entertainment. Yet, the necessary safeguards to protect children’s data are missing from most websites, apps, and other technologies. The UK Age-Appropriate Design Code and other recent children’s privacy regulations seek to correct this gap in our digital world.
The ICO has prepared an extensive website and resources to describe the Code in detail. The information featured here is only a summary of the UK Age-Appropriate Design Code. For the most complete and updated information, please refer to the ICO.
The UK Age-Appropriate Design Code Reaches Beyond the UK and Child-Focused Sites
Any company that processes the personal data of U.K. children must comply with the UK Age-Appropriate Design Code Act. And the Code is for any online services children (up to 18 years of age) are likely to use. It doesn’t matter if your website or app is meant for use by children or not.
The types of products and services children are likely to use include:
- Apps
- Social media platforms and online messaging services
- Content streaming devices (video, music, and gaming services)
- Online games, news, and educational sites
- Websites offering any goods or services over the internet and online marketplaces (Amazon)
- Electronic services offering support or control to connected toys or connected devices (Internet of Things (IoT))
The Code went into force on September 2, 2020, with a 12-month transition period. Meaning your organization must demonstrate that any services using children’s data are in compliance with the Data Protection Act 2018 (GDPR) and the Privacy and Electronic Communication (EC Directive) Regulations with respect to these guidelines.
Any online services failing to comply with any provision of this Code may find it difficult to demonstrate compliance with the GDPR and invite regulatory action.
The 15 Standards of Age-Appropriate Design
Together, the 15 age-appropriate design standards should help your organization understand and implement the Code in its own way. Implementing all standards is required for GDPR and PERC compliance and will help your organization take a risk-based approach to develop digital services.
To summarize, the default setting should provide children with the best possible access to online services while minimizing data collection and use.
The ICO provides the 15 Standards of Age-Appropriate Design:
- Best Interests of the Child
- Data Protection Impact Assessments
- Age-Appropriate Application
- Transparency
- Detrimental Use of Data
- Policies and Community Standards
- Default Settings
- Data Minimization
- Data Sharing
- Geolocation
- Parental Controls
- Profiling
- Nudge Techniques
- Connected Toys and Devices
- Online Tools
The Best Interests of The Child are the Most Important
Children have a right to privacy, freedom from economic exploitation, access to information, association with others, and play in supporting the child’s development under the United Nations Convention on the Rights of the Child (UNCRC). There are many concerns and needs that must be balanced when considering what is best for each individual child. The individual child’s best interest must be the primary consideration regarding data processing.
It’s unlikely that commercial business interests will outweigh a child’s right to privacy. But you may share children’s personal data as long as you have a compelling reason to do so, taking account of the best interests of the child. Compelling reasons may include safeguarding purposes or the importance of official national statistics of good quality information about children.
Even if you have a compelling reason for data sharing, a DPIA will be required. A DPIA can assess and mitigate risks to the rights and freedoms of children that arise from your data sharing.
Discover if you’re acting in the best interest of children by considering how your organization’s use of children’s data impacts the rights they hold under the UNCRC.
Once children’s rights are well understood, identify and assess the potential impacts of the child’s rights using your product or service. Create an action plan to address the risk areas highlighted in the risk assessment and apply the Children’s Code recommendations to reduce risk severity.
Although considering the best interests of the child is a main focus of the Age-Appropriate Design Code, there are 14 other standards. Rather than cover each standard in detail, here are five steps your organization can take to conform with the Code.
5 Steps to Conform to the UK Age-Appropriate Design Code
Map the Children’s Personal Data Flow
Map the personal data you collect from UK children. If you want to get ahead and prioritize the highest standard of protection for children possible, map all the children’s data your organization collects, shares, or processes. This must be done at least in California and possibly other U.S. states.
Generally, don’t share children’s data unless you can demonstrate a compelling reason to do so. If there is a compelling reason for sharing children’s information, conduct careful due diligence on third-party vendors with access to your data.
Determine a Risk-Based Age Verification Process
Determine a risk-based approach to identifying the users’ age and then effectively apply the Child Code standards to users under the age of 18. Establishing the age of users must be done with a level of certainty appropriate for the risks that the organization creates through the specific data processing activity. Otherwise, the organization must just apply the Child Code’s standards to all users.
There are multiple ways to estimate or verify the age of children and users. The ICO suggests:
- Self-declaration
- AI and biometric-based systems
- Technical design measures
- Tokenized age checking using third parties
- Hardcore identifiers like passports
Organizations should introduce measures that ensure accuracy, avoid bias, and explain the use of AI-based age assurance. Data minimization is critical. Do not collect anything or repurpose data or user profiles for any other purpose.
Provide a High Level of Privacy By Default
Don’t use children’s personal data in ways that are known to be detrimental to their wellbeing or go against industry codes of practice, other regulatory provisions, and Government advice. Settings must be high privacy by default.
Privacy by default allows people to access your products and services without sharing data. Then, when people are ready, they can opt-in to share their data with the company if they would like. Privacy is considered before products or services are designed and included throughout the business strategy. As we adapt to the digital world, this is becoming the standard in privacy and digital service development.
Some users may understand they are exchanging their information for the ability to access a product or service, such as social media or a digital gaming platform. But not all users, especially those under 18, understand how their data is shared with advertisers in exchange for using free products and services.
Provide:
- Clear information that is easy and designed for a child to understand
- Easy to access information about data protection and privacy
- Tools to help children exercise their data protection rights and report concerns
- Most adults don’t read or can’t understand the language in the notices they’re given. This is both a challenge and an opportunity for legal teams to develop a compliant and easy-to-understand privacy notice for all individuals – especially children.
Turn off Geolocation & Profiling Services
Geolocation and profiling options should be turned off by default. Unless you can demonstrate compelling reasons for geolocation or profiling to be on by default when considering the best interests of the individual child.
Additional safeguards to consider:
- Provide a clear, obvious, and age-appropriate sign for children to communicate that location tracking is active.
- If options make a child’s location visible to others, those options must default back to off at the end of each session.
- Only allow profiling if you have extensive measures in place to protect the child from any harmful effects.
- Don’t Use Nudge Techniques to Encourage More Personal Data Sharing
- Children are a vulnerable population. Don’t use techniques that lead or encourage children to provide more personal data than is necessary. Encouraging users to weaken or turn off their privacy protections is also considered nudging.
Nudging not only goes against the UK Age-Appropriate Design Code, but it’s also a practice that will quickly break users’ trust. By nudging users, you are hoping to wear down their resistance to sharing information with your organization. When a user provides consent, let them stick to their decision. Provide a preference center when possible to allow users to make choices regarding their personal information, consent, and your organization’s marketing and communication.
Assess Your Risk, Conduct DPIAs, and Comply with The UK Age-Appropriate Design Code
Review the ICO’s Children’s Code hub and full IOC Children’s Code best interests framework for the most comprehensive and updated information.
