No one would disagree that children are a vulnerable population. That's why we put measures in place to protect them from adult things: film ratings, car seats and age restrictions on smoking, for example. So why would protections not extend to the digital world, Information Commissioner Elizabeth Denham asked this week as her office unveiled a set of rules known as the "Age Appropriate Design Code." After all, one in five U.K. internet users is a child.
The code, which will require parliamentary approval, outlines 15 standards online services should follow to protect children’s privacy, noting children’s best interests should be a primary consideration in designing and developing online services. It also provides guidance on data protection safeguards aimed at ensuring online services are appropriate for children's use.
“In an age where children learn how to use an iPad before they ride a bike, it is right that organizations designing and developing online services do so with the best interests of children in mind,” Denham said in a news release. “Children’s privacy must not be traded in the chase for profit.”
The standards apply to services likely to be used by someone under the age of 18 that process their data, including apps, social media platforms, online games, educational websites and streaming services. The code requires platforms to set privacy settings to "high" by default, minimize data collection and sharing, turn off by-default location tracking and targeted advertising, and to not use “nudge techniques” to encourage children to provide unnecessary personal information. The code also calls for data protection impact assessments, a risk-based approach to recognizing a user’s age, and transparency in privacy and data policies.
Before it can head to Parliament for approval, the code was submitted to the secretary of state in November. If passed by Parliament, organizations will have 12 months to update practices before it takes full effect. That means a compliance date looks to be around fall 2021.
The ICO said the code’s standards are rooted in the EU General Data Protection Regulation's provisions. For example, the code states companies that don’t conform could face fines of up to 4% of their annual worldwide turnover.
“The code is not a new law, but it sets standards and explains how the (GDPR) applies in the context of children using digital services. It follows a thorough consultation process that included speaking with parents, children, schools, children’s campaign groups, developers, tech and gaming companies and online service providers,” an ICO news release stated.
But the new rules are not without opposition, as The New York Times reports. Tech companies and trade groups have stated their objections. Companies have argued the code is too burdensome, broad and will lead to collection of even more personal data from children to distinguish them as users. Trade groups have said smaller companies may no longer be able to provide free services for children as they will have difficulty making money from advertising to them.
While techUK supports the ambition behind the code, Deputy Chief Executive Antony Walker told the NYT, “We do have some real reservations.” He said the industry group is particularly concerned the new rules “could lead to some unnecessary age-gating of online services.” And Coalition for a Digital Economy Executive Director Dom Hallas said while some may see the code as a victory for children, the advocacy group for startups sees it as “a restriction in the services that startups can build for kids.”
The Washington Post reports privacy advocates are hopeful the U.K.'s action on this will inspire action by lawmakers in the U.S. “Young people should be able to learn, grow and benefit from technology without being subject to harms, and this code establishes standards for companies to follow and prioritize children’s best interests,” said James Steyer, CEO and founder of family advocacy nonprofit Common Sense. “Parents, teachers and families everywhere deserve such safeguards, and we hope the U.S. soon follows suit.”
Denham said the code is “the first concrete step” toward protecting children online and is “just part of the solution.” The ICO will continue to work with others in the U.K. and around the world to ensure the rules complement other measures being developed to address online harms, she said.
“A generation from now, I believe we will look back and find it peculiar that online services weren’t always designed with children in mind,” Denham wrote in her forward within the code. “When my grandchildren are grown and have children of their own, the need to keep children safer online will be as second nature as the need to ensure they eat healthily, get a good education or buckle up in the back of a car.”