What you Need to Know about the UK's Children's Code
The UK's Children's Code came into force in September 2021. It has a statutory footing meaning that the UK's data protection authority, the Information Commissioner's Office (ICO) must take it into account when considering compliance with UK GDPR or the Privacy and Electronic Communications Regulations (PECR). A court must also take the Children's Code into account where relevant, and it could be used in evidence. Fines for noncompliance with the GDPR can be as high as 20 million Euros, UK £18.5 million, or 4% of global annual turnover.
The Code is having an impact. Platforms such as Instagram, TikTok and YouTube all implemented changes to comply with some of the Code but not all of it. TikTok turned off notifications for children past bedtime, Instagram disabled targeted adverts for under-18s and YouTube turned off autoplay for teen users.
It's also having an impact globally. In the US, Senator Edward Markey and Representatives Kathy Castor and Lori Trahan sent a letter to the CEOs of Amazon, Facebook, Google, Snapchat, TikTok and Twitter urging them to extend privacy protections required under the United Kingdom’s Age Appropriate Design Code (AADC) to children and teens in the United States.
So What is the Code?
The Code is a set of 15 standards that support an online service to build in privacy by design. Any service that is directed to children or likely to attract children needs to comply. This has caused some controversy amongst industry and confusion as to how to define if a service may attract a child. If your online service appeals to children up to the age of 18, even if it's not designed for them, you should implement measures to protect them. Age verification, assurance and estimation are all tools to help you know your audience and industry is fast developing user friendly and privacy preserving methods. The GDPR and the Code are risk based so what measures you will need to implement to provide an appropriate experience for children will depend on the nature of the collection and processing of user's personal data. Conducting a data processing impact assessment will help you to understand what data your service collects, map it to a risk and then put the appropriate controls in place.
If your service meets the requirement of the Children’s Online Privacy Protection Act (COPPA) does it mean its in line with the Code?
Simply put, no. Under the GDPR and the Code everyone is a child until they reach 18. COPPA requires an online service to treat children 12 or under compliantly so anyone 13 or older does not have the protections that COPPA offers younger users. The Code also requires that the child is provided with clear and accessible privacy notices suitable for their age group. Children’s rights and best interests are at its heart. COPPA puts the parent in control. There are some other differences but there are also similarities. The GDPR and Code by extension takes a risk-based approach to collecting and processing children’s data but so does COPPA. COPPA’s sliding scale of consent allows an online service to obtain different levels of consent mapped to the collection and use of the personal information with a verified parent providing consent for more risky activities such as disclosure of personal information in chat rooms or through user generated content.
What steps should I take to comply?
- Know your audience – what age ranges are using your service? Until you know this you don’t know what the risks are or what controls to put in place to mitigate these risks. Some of the ways to establish age include self-declaration; identifiers; account holder confirmation; age verification but new methods are in development including the use of AI.
- Conduct a DPIA to identify all data collected and to understand the risks associated to the data processing. The ICO has a handy template you can use.
- Include privacy settings which are on by default. For example, a user’s account should be set to private and it should allow them to enable and disable public sharing in a platform or community.
- Provide child friendly accessible privacy and just in time notices letting the child know why the service is asking for information and what it will be used for.
- Consider the best interests of the child. For example, does the service really need to collect all the personal information it does to provide the experience, introduce warning if the child has been playing for a lengthy period and don’t use nudge techniques to push the child into certain behaviors.
- Switch off geo location unless there is a justifiable and compelling reason to use it. Make sure it is clear to the user if location tracking is on and only use this feature if it is essential to the functioning of the service. Build in measures to ensure that it is turned off and a child’s location is not visible to others if it is not required or being used. Of course, a lawful basis for processing this data is required as it is for processing any personal data.
- Work with a privacy partner like PRIVO to ensure you are compliant with the Code. Learn more about how PRIVO's GDPRkids™ Privacy Assured Program can help you comply.
If you follow the standards of the code and bake privacy into your design you will be building brand trust and integrity which in turn supports lifetime value and engagement, a win win.