Best interests of the child
- The best interests of the child should be a primary consideration when designing and developing online services likely to be accessed by a child.
Data protection impact assessments
- Firms should “assess and mitigate risks to the rights and freedoms of children” who are likely to access an online service, which arise from data processing.
- They should take into account differing ages, capacities and development needs.
- A “risk-based approach to recognising the age of individual users” should be taken.
This should either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from data processing, or apply the standards in this code to all users instead.
- Privacy information provided to users “must be concise, prominent and in clear language suited to the age of the child”.
Detrimental use of data
- Children’s personal data must not be used in ways that have been “shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice”.
Policies and community standards
- Uphold published terms, policies and community standards.
- Settings must be set to “high privacy” by default.
- Collect and retain “only the minimum amount of personal data” needed to provide the elements of the service in which a child is actively and knowingly engaged.
- Give children separate choices over which elements they wish to activate.
- Children’s data must not be disclosed, unless a compelling reason to do so can be shown.
- Geolocation tracking features should be switched off by default.
Provide an “obvious sign for children when location tracking is active”.
- Options which make a child’s location visible to others must default back to off at the end of each session.
- Children should be provided age-appropriate information about parental controls.
If an online service allows a parent or carer to monitor their child’s online activity or track their location, provide an “obvious sign to the child when they are being monitored”.
- Switch options which use profiling off by default.
Profiling should only be allowed if there are “appropriate measures” in place to protect the child from any harmful effects, such as content that is detrimental to their health or wellbeing.
- Do not use nudge techniques to “lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections”.
Connected toys and devices
- Connected toys and devices should include effective tools to ensure they conform to the code.
- Children should be provided with prominent and accessible tools to exercise their data protection rights and report concerns.
What does CEO of Internet Matters Carolyn Bunting say?
She said: “We support any measures that prioritise the safety and wellbeing of children online, and welcome ICO’s age-appropriate design code.
“Parents consistently tell us of their concerns about the online world and the risks it could pose to their child’s wellbeing, so we are delighted to see the interests of children at the very heart of the measures outlined today.
“A child’s online world is fundamental to their everyday life and we all – government, industry, schools and parents, share a responsibility to keep them safe online.
“And while we anticipate the introduction of new technical safety measures, there remains no substitute to having regular, open and honest conversations with your child to help keep them safe in the digital world.”