The ‘Age Appropriate Design Code’ Explained

The ‘Age Appropriate Design Code’ Explained

In the age of the internet, more needs to be done to keep children safe online. By the age of five, the average UK child will have roughly 973 pictures of them online. Not to mention, children as young as three are using mobile devices and the internet on a regular basis, with many signing up to apps, social networking sites and online games.

But unsurprisingly, most children are unaware of the risks of sharing their personal information over the internet, so it’s the job of parents and caretakers to keep them safe. Businesses also need to take responsibility for how they’re collecting, storing and handling this data, only collecting information from minors when it’s absolutely necessary.

The good news is, as well as the recent changes and implementation of General Data Protection Regulations (GDPR), the Information Commissioner’s Office (ICO) has proposed the ‘Age Appropriate Design Code’. This is a new concept designed to protect children online. In this guide, we’ll explain what the code means, the guidelines it sets out and how it protects children on the internet.

What is the purpose of this code?

In a nutshell, the code is set out to offer practical guidance to businesses on how they can incorporate data protection into their online services to ensure they are compliant with GDPR and the standards set out by the United Nations. The code also offers advice on how organisations can use safeguards to create a service that is appropriate for and meets the development needs of children.

The Age Appropriate Design Code will play a big role in supporting online service providers by offering them guidance and a checklist against which to measure whether they’re GDPR compliant or not. The code will also assist in demonstrating what they’re doing to fulfil their data protection obligations. This is important for businesses who offer online services, as it helps to show parents what they’re doing to keep their children safe online. It can help to boost the reputation of the company, proving they’re a reliable service and that they are appropriate for children to use.

What are the standards set out in the code?

The code is set out to help businesses implement data protection best practises, to ensure their online services safeguard children and comply with GDPR. It is broken down into 16 criteria and companies must ensure they meet all the correct standards, as outlined below:

1. The best interests of the child – this should be the primary concern of businesses when developing online services that will be used by young people
2. Age range – how old are the target audience and what are their specific needs?
3. Clear privacy information – all terms, conditions and privacy settings must be clear, concise, visible and in a language that a child can understand
4. Detrimental use of data – businesses must not use children’s sensitive data in any way that can be detrimental to their wellbeing or that goes against industry code and Government-issued advice
5. Upholding standards – businesses must uphold all the standards and published terms they have set out for their services
6. Default privacy settings – all settings should be high-privacy as standard
7. Minimal data collection – as with most services, businesses should only collect and retain personal information they need to provide an effective service
8. Data sharing – businesses cannot share children’s data unless they can prove they had a compelling reason to do so
9. Be careful with geolocation – geolocation must be switched off by default and if tracking is needed, clear signs must be given. Location tracking must default back to ‘off’ after each session
10. Parental controls – if the online services provide parental controls, children must be given clear (age-appropriate) notifications that they are being monitored
11. Profiling – services must switch off profiling options by default unless they can provide a compelling reason for having these on. Profiling can only be allowed if appropriate safeguards are in place to protect the users
12. Avoid nudge techniques – online services cannot use nudge techniques to try and encourage children to share more of their data, to edit their privacy settings or to extend their online usage
13. Connected devices – if a business provides a toy or device that is connected to their services, this must also be compliant with GDPR and the Age Appropriate Design Code
14. Data protection assessments – businesses must run regular security audits to assess and mitigate the risks to children that use their services
15. Provide online tools – services must offer easily accessible tools that allow children to exercise their rights to protection and report any concerns they may have
16. Accountability – online service providers must have policies and procedures in place that prove how they govern their services and take accountability for data protection

How can this code help parents?

As previously stated, parents play a huge role in protecting their children online, but this can be tricky to do if children aren’t transparent about their usage or if parents are unaware of the dangers of sharing personal data over the internet. As such, it can be easier for them to simply ban their children from using certain sites or games, instead of trying to oversee/govern their time on the site.

This means that children lose out on the opportunity and their rights to enjoy these online services, specifically those aimed at children. The code is therefore set out to help give parents peace of mind, whilst also doing more to protect children. It helps to shift some of the responsibility from the parent onto the service provider, whilst respecting their right to make choices on behalf of their children.

How does this code protect the rights of children?

Putting together this code was no mean feat, the ICO had to take into consideration the fact that children will have different needs at different ages. It was also important to factor in the rights and duties of parents to govern their children and respect these, without infringing on the rights of the children and their evolving capacity to make their own decisions.

As such, the Age Appropriate Design Code is set out to ensure online services collect and use children’s data safely, in a way that supports their rights to the following:

  • Freedom of expression, thought, conscience and religion
  • The right to privacy
  • Access to age-appropriate information from the media
  • Protection from harmful content
  • The right to play and engage in age-appropriate online activities
  • Protection from forms of exploration such as economic and sexual exploitation

So, to summarise, the code aims to protect children’s rights to enjoy themselves online, engage with age-appropriate content and activities, whilst simultaneously protecting their privacy and keeping them safe from exploitation.