ICO Children’s Code
More young people are using the internet than ever before – in fact, one in five internet users in the UK are children – but despite this, regulators have been increasingly aware that the majority of the internet is designed and controlled in a way that does not protect or prioritise the needs of vulnerable age groups. Recently, a shift in focus from previous attitudes of protecting children from the internet, to protecting them while using it has led to a change in legislation that seeks to address this issue. 'The Children’s Code' came into force on the 2nd September 2020 (being added to the existing Data Protection Act 2018) to recognise that by law children should receive extra protection online, just like they do in many other situations in the real world.
The new code has a number of implications for organisations that provide digital services used by children, and the Information Commissioner’s Office (ICO) has given organisations until the 2nd September 2021 to conform to it. The key principle behind the new code is that if you serve digital content to children that is informed by the personal data you collect from them, you are now legally obliged to actively protect their rights. This means turning off location services that can trace their whereabouts, ensuring privacy settings are set to 'high' by default, and not pressuring children to hand over more information about themselves with notifications or nudges. The code also requires the use of language that is appropriate to the targeted age group so they can understand how and why you are using their data, providing better transparency to children as well as parents and carers.
The legislation has been broken down into 15 standards to make it easier to ensure your organisation meets these standards:
- Best interests of the child – This should be the primary concern when designing and developing a service that is likely to be accessed by a child.
- Data protection impact assessments – Use the DPIA assessment to ensure your design meets the criteria for different ages and capacities.
- Age appropriate application – Take a risk-based approach to ensure you tailor the code to children correctly.
- Transparency – Explain what data you use and why in language the child can understand.
- Detrimental use of data – Do not use their data in ways that are known to be detrimental to their wellbeing or go against codes of practice or advice.
- Policies and community standards – Follow and uphold your own policies and standards.
- Default settings – Keep the default data and security settings set to high.
- Data minimisation – Only collect the minimum amount of data needed to provide your service.
- Data sharing – Do not disclose the data from a child unless you have a justification to and have the best interests of the child.
- Geolocation – Disable geolocation options by default, or if tracking is necessary, make it clear their location tracking is on and should turn off automatically too.
- Parental controls – Ensure the child knows what the parental controls involve and if they can be tracked or monitored by their parent or carer, that they are aware of this too.
- Profiling – Profiling should be off by default, and if profiling is needed then measures should be in place to protect the child.
- Nudge techniques – Do not use notification or nudge techniques to encourage a child to provide unwarranted personal information.
- Connected toys and devices – Ensure you include efficient options to adhere to the code.
- Online tools – Provide easy-to-access and easy-to-understand tools to allow children to exercise their data protection rights.
For more in-depth information and how this could affect your business, you can view the ICO's website here.