Children’s Privacy – New Requirements for Business providing Online Services

A statutory Code of Practice, the Age Appropriate Design Code, (known as ‘The Children’s Code’) has come into effect in the UK and, post 2 September 2021, businesses must ensure they comply with it.

Who is caught?
The aim of the Code is to protect children when using online services “provided for remuneration”, including apps, games, social media sites, online marketplaces and websites, from companies that may be monitoring their data or using inappropriate advertising. The Code covers services “likely to be accessed by children in the UK under the age of 18”. Naturally, big companies such as TikTok and YouTube will be caught by the Code, but in practice it also covers any online app, website, etc. that a child may access, even if they are not the target audience.

Recommended protective measures
The Information Commissioner’s Office (ICO), the data protection supervisory body in the UK, has provided the following suggestions for businesses to comply with the Code:

• Map the personal data of children that is collected by the online service.
• Check the age of the people who use the online service.
• Turn off geo-location services that track the location of users.
• Do not use nudge techniques that may encourage children to provide more personal data.
• High privacy by default, so that personal data is only visible or accessible to other users of the service if the child (or parent) actively amends their settings to allow this.
How far you need to go in establishing age depends on what you are doing with children’s data and associated impacts. Age verification techniques you may wish to use include self-declaration, use of artificial intelligence, third party verification and technical measures. A potentially simpler option is to apply the standards in the Code to all users, regardless of age.

The ICO have also developed a ‘Best Interests of the Child’ Framework to further assist businesses. Helpful guidance is given on protective measures to implement, including:

• Ensuring privacy policies are presented clearly and prominently in an accessible form for children to understand.
• Depending on the child’s age and risks involved in the data processing, you may wish to prompt the child to consult an adult before proceeding.
• Settings that allow the sharing of child data with other users should be turned off by default.
• Do not disclose children’s data to third parties unless you have a compelling reason to do so, taking account of the best interests of the child.
• Consider whether the data use keeps children safe from commercial and sexual exploitation.
• Block ad-targeting and personalisation for children.
• Allow users the option to change their data sharing settings easily.
Having first determined whether children in the UK are likely to use your online services, businesses are advised to conduct a risk assessment to identify any areas that pose a particular threat to children’s privacy. Carrying out a Data Protection Impact Assessment is recommended, with technical solutions to be implemented based on the findings.

Sanctions for non-compliance
As with the general provisions of the General Data Protection Regulation (GDPR), the ICO has various powers to ensure compliance with the Code and to punish non-compliance. This includes investigation and audit rights, orders to stop processing and hefty fines of up to 4% of global annual turnover or £17.5 million.

For advice in relation to compliance with the Code, or generally in connection with data protection alignment, please get in touch.

Madeleine Rhodes