The UK privacy watchdog has unveiled a strict new code of practice for online services providers like Facebook and Google, requiring them to offer a “built-in baseline of data protection” for children.
The new rules will apply to online services likely to be accessed by children in the UK, requiring them to set the child’s privacy settings to high by default, disable location tracking by default, minimise data sharing, and disable profiling services for targeted advertising by default.
When designing and developing new online services organisations must also “consider the best interests of the child”.
The Information Commissioner’s Office’s new rules, known as the Age Appropriate Design Code, still need to formally pass the UK Parliament but are expected to be in force by next year. The code alone is not legally enforceable but the regulator says it will be a factor in its assessment of compliance with General Data Protection Regulation and Privacy and Electronic Communications Regulations, data protection laws which carry hefty penalties.
“If you do not follow this code, you may find it difficult to demonstrate that your processing is fair and complies with the GDPR or PECR,” the regulator says in its online guidance.
The code sets out 15 standards for protecting children online and applies to all “relevant information society services which are likely to be accessed by children”.
The “technology neutral design principles” include things like undertaking risk assessments, establishing the age of the child, not using data in a way that is detrimental to the wellbeing of the child, and collecting and retaining only the minimum amount of data needed to offer the service the child is actively and knowingly engaged in.
The data collection rules in particular have implications for the wider online advertising industry, with industry bodies challenging the code during the consultation period last year. The IAB UK called for a redraft of the code, saying in practice the code could be “unworkable” and “potentially damaging”.
Facebook and Google, which rely on personal information to sell targeted audiences to advertisers, also both argued against keeping data collection on children to a minimum through default settings, saying it would damage their ability to offer personalised services.
But the ICO says its new code is overdue.
“One in five internet users in the UK is a child, but they are using an internet that was not designed for them,” said UK Information Commissioner Elizabeth Denham in a news release.
“There are laws to protect children in the real world – film ratings, car seats, age restrictions on drinking and smoking. We need our laws to protect children in the digital world too.
“In a generation from now, we will look back and find it astonishing that online services weren’t always designed with children in mind.”
In her Commissioner’s foreword in the code, Denham said the code is not intended as a substitute for parental guidance but can provide greater confidence that children will be safer online.
“There is no doubt that change is needed. The code is an important and significant part of that change.”