08 September 2021
September 1st 2021 saw the end of the twelve month implementation period granted by the Information Commissioners Office (ICO) for their new Children's Code, a series of standards that governs how online services that are likely to be accessed by children should appropriately safeguard their personal data.
The code applies to a wide range of digital services: apps, games, websites, community platforms, messaging systems, social media, search engines and even toys and IoT devices that might not possess a screen but still connect to the internet. The code isn’t a new law but classified as a Statutory Code of Practice under the Data Protection Act 2018. The ICO have warned that anyone who doesn’t confirm to these standards will find it hard to demonstrate that “processing is fair and complies with GDPR” and that further action may be taken.
The Code considers anyone under eighteen as a child and applies to both new and existing services.
Largely the code consists of fifteen main points, which we summarise very briefly below but we would strongly recommend visiting the ICO website to read up on further.
- 1. When designing and developing an online service that children may access, take the best interests of the child into consideration.
- 2. Undertake a DPIA (Data Protection Impact Assessment) before launching your service to mitigate the rights of children likely to use the service.
- 3. Be aware of the different ages of children likely to be using the service.
- 4. Be transparent and use child-friendly explanations when describing how personal data is used.
- 5. Do not use childrens’ personal data in ways that are shown to be detrimental to their wellbeing.
- 6. Uphold your own policies and terms.
- 7. Ensure that by default, privacy settings are ‘high’ unless you can demonstrate a compelling reason not to.
- 8. Collect the minimal personal data required to operate your service and give children choices over what parts of the service they wish to use.
- 9. Do not disclose or share children’s personal data unless there is a compelling reason to do so.
- 10. Switch geolocation options off by default unless there is a compelling reason to do so, and where they are used make the child aware that location tracking is active.
- 11. If parental controls are employed, provide age appropriate information about this.
- 12. If your service uses profiling, switch this off by default unless there is a compelling reason not to. Only use profiling if there are measures in place to protect the child from potential harmful effects of it.
- 13. Avoid using nudge techniques that encourage children to provide unnecessary personal data.
- 14. Ensure any toys or IoT devices also comply with the code.
- 15. Provide prominent and accessible tools to allow children to exercise their data protection rights.
We will be writing more articles around the new code detailing the approach we have taken to compliance and observations we have made, and we will also be advising and working with our local authority partners to ensure that the services we provide them comply.
For further reading: