Age Appropriate Design for Digital Services
How do we best safeguard children in the digital world? It is a question at the forefront of parents’ minds, but it can be a minefield to address given the wide range of ways children now engage digitally such as through connected toys and devices, online games, streaming services, social media, educational websites, the list goes on. It is vital therefore that organisations designing or offering digital services that are likely to be accessed by children are proactive in addressing this issue.
The Children’s Code, a statutory Code of Practice issued by the Information Commissioners’ Office came into force last year and organisations have until 2nd September 2021 to achieve compliance. Where organisations whose digital services are likely to be accessed by children cannot demonstrate compliance, they are likely to find themselves in breach of applicable UK data protection legislation which can have serious implications such as very substantial fines and serious reputational damage.
The Children’s Code sets out 15 standards aimed at helping organisations to design their services having regard to the best interests of children. The standards are not hard and fast rules, and each organisation will need to determine how the standards need to be applied to their specific services.
A key part for all organisations in demonstrating compliance with data protection legislation is having undertaken and acted upon appropriate data protection impact assessments and this holds true in relation to the Children’s Code. Organisations therefore need to ensure that they have done appropriate assessments for existing services as well as new or developing services and reflected their findings in the design of such services.
Whilst the Children’s Code is not prescriptive it does set out clearly some practical steps that organisations are expected to take such as:
- Publishing and upholding terms, policies and community standards.
- Implementing high privacy default settings and turning off location tracking and profiling options as standard.
- Giving children clear information about parental controls.
An important point to note is that the Children’s Code makes it clear that when it talks about children it means those under 18. Many organisations in the UK currently think in terms of under 13s when considering data protection issues and so this approach needs to shift. The risk-based approach to data protection in the UK does however mean that the age of individual users will be relevant. This means organisations can either take steps to establish the age of users in order to apply the standards accordingly or apply the standards universally to all users. Clearly an educational website aimed at pre-school children will need a different approach to a social media app used by teenagers and adults.
Age appropriate design obviously needs to reflect how children engage with a service, for instance can they understand the information presented to them, but it also encompasses what organisations do behind the scenes. It is key to compliance to ensure careful consideration is given to what personal data is collected and how it is used. If organisations are collecting/retaining personal data that is not needed to provide their service or sharing personal data without good reason then achieving compliance will be difficult.
Given the 2nd September 2021 compliance deadline organisations need to consider what steps they need to take now if they have not already started this process.
If your organisation would like further information or assistance in relation to the Children’s Code or any other data protection matter you can contact us on 0800 2800 421 or fill out our contact form above.