Information Commissioner's Office
ICO launches consultation on Code of Practice to help protect children online
The Information Commissioner’s Office has opened consultation on 16 standards that online services must meet to protect children’s privacy.
Age appropriate design: a code of practice for online services sets out the standards expected of those responsible for designing, developing or providing online services likely to be accessed by children and which process their data.
When finalised, it will be the first of its kind and become an international benchmark.
Elizabeth Denham, Information Commissioner, said:
Introduced by the Data Protection Act 2018, the draft code sets out 16 standards of age appropriate design for online services like apps, connected toys, social media platforms, online games, educational websites and streaming services. It is not restricted to services specifically directed at children.
The draft code says that the best interests of the child should be a primary consideration when designing and developing online services. It says that privacy must be built in and not bolted on.
Settings must be “high privacy” by default (unless there’s a compelling reason not to); only the minimum amount of personal data should be collected and retained; children’s data should not usually be shared; and geolocation services should be switched off by default in most circumstances. So-called “nudge techniques” should not be used to encourage children to provide unnecessary personal data, to weaken their privacy settings or carry on using the service longer than they had intended. It also addresses issues of parental control and profiling.
Ms Denham said:
“The ICO’s Code of Practice is a significant step, but it’s just part of the solution to online harms. We see our work as complementary to the current focus on online harms, and look forward to participating in discussions regarding the Government’s white paper.”
The code gives practical guidance on data protection safeguards that ensure online services are appropriate for use by children. It leaves online service providers in no doubt about what is expected of them when it comes to looking after children’s personal data. It helps create an open, transparent and safer place for children to play, explore and learn online.
The standards in the code are rooted in existing data protection laws that are regulated by the ICO. Organisations should follow the code and demonstrate that their services use children’s data fairly and in compliance with data protection law. Those that don’t, could face enforcement action including fines of up to £17million or 4% of global turnover or orders to stop processing data.
Baroness Kidron, who led the parliamentary debate about the creation of the code, said:
“I welcome the draft code released today which represents the beginning of a new deal between children and the tech sector.
“For too long we have failed to recognise children’s rights and needs online, with tragic outcomes.
“I firmly believe in the power of technology to transform lives, be a force for good and rise to the challenge of promoting the rights and safety of our children. But in order to fulfil that role it must consider the best interests of children, not simply its own commercial interests. That is what the code will require online services to do. This is a systemic change.”
The code is out for consultation until 31 May. The final version will be laid before Parliament and is expected to come into effect before the end of the year.
The code was informed by initial views and evidence gathered from designers, app developers, academics and civil society. You can read the responses here.
The ICO also sought views from parents and children by working with research company Revealing Reality. The findings from that work are published for the first time today.
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The Government included provisions in the Data Protection Act 2018 to create world-leading standards that provide proper safeguards for children when they are online.
As part of that, the ICO is required to produce an age-appropriate design code of practice to give guidance to organisations about the privacy standards they should adopt when offering online services and apps that children are likely to access and which will process their personal data. (A link to the parliamentary debate, led by Baroness Kidron, is here.)
The standards in the Code will be backed by existing data protection laws which are legally enforceable and regulated by the ICO. The regulator has powers to take action against organisations that break the law including tough sanctions like orders to stop processing data and fines of up to £17million or 4% of global turnover.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
- Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
- The GDPR and the DPA2018 gave the ICO new strengthened powers.
- The data protection principles in the GDPR evolved from the original DPA, and set out the main responsibilities for organisations.
- To report a concern to the ICO, go to org.uk/concerns.
Latest News from
Information Commissioner's Office
ICO Codes of Conduct and Certification schemes open for business28/02/2020 16:25:00
Two key services to help organisations show accountability under the General Data Protection Regulation (GDPR) are up and running.
Statement regarding the government’s initial response to Online Harms White Paper consultation13/02/2020 09:10:00
Elizabeth Denham, Information Commissioner, yesterday gave a statement regarding the government’s initial response to Online Harms White Paper consultation.
Joint statement warning FCA-authorised firms and insolvency practitioners to be responsible when dealing with personal data10/02/2020 09:10:00
Joint statement from the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Financial Services Compensation Scheme (FSCS) (07 February 2020).
ICO celebrates excellence in data protection with third annual award for practitioners05/02/2020 12:25:00
The Information Commissioner is looking for data protection practitioners who have made an outstanding impact within their organisation.
Statement on data protection and Brexit implementation – what you need to do30/01/2020 12:25:00
The UK will leave the European Union on 31 January and enter a Brexit transition period.
ICO launches latest phase of privacy innovation grants programme29/01/2020 12:25:00
Applications are now open for the third round of funding from the Information Commissioner’s Office’s (ICO) grants programme.
Data Protection Day 202028/01/2020 11:43:00
The ICO marked this year’s annual Data Protection Day (27 January 2020) by highlighting data sharing resources and guidance.
ICO statement in response to an announcement made by the Metropolitan Police Service on the use of live facial recognition24/01/2020 15:15:00
In October 2019 we concluded our investigation into how police use live facial recognition technology (LFR) in public places.