The Information Commissioner’s Office (ICO) has published a code of practice for protecting children’s digital privacy, as called for by the Data Protection Act 2018.
Published on Monday, Age appropriate design: a code of practice for online services is up for public consultation. It applies to services specifically aimed at children, but also to general online services that they are likely to use. This puts not just connected toys and child-focused devices within its purview, but a wide range of other services. These range from social media platforms to search engines.
The code sets out 16 standards for age-appropriate design intended to protect childrens’ rights. Under the guidance, developers and service providers would have to make all settings ‘high privacy’, and switch off geolocation options by default. They would have to highlight parental controls to children, explain to them when they are being monitored, and turn off by default any options that use profiling. They would also have to avoid ‘nudge’ techniques that encourage children to provide unnecessary personal data.
Other principles set out in the guidelines included keeping the best interests of the child in mind, designing products and services in an age-appropriate way, and using age-appropriate language when explaining privacy information.
The code directly supports Recital 38 of the GDPR, which says children merit specific protection against the use of their data for marketing and profiling.
The guidelines are more than mere rhetoric, warns the ICO, which has flexed its muscles recently in other cases, most recently fining pregnancy club Bounty £400,000 for privacy infractions.
“If you process a child’s personal data in breach of this code and the GDPR or PECR, we can take action against you,” it warned in the text. Published in 2003, the Privacy and Electronic Communications Regulations (PECR) implement the 2002 European e-privacy Directive.
The consultation period runs until 31 May 2019, and a final version will come into effect before the end of the year, the ICO said.
The topic of Governance, Risk and Compliance will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Governance, Risk and Compliance here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.