The United Kingdom’s Children’s Code — under its Data Protection Act 2018 — that outlines 15 standards of privacy and security that online services that cater to children must adhere to, came into force yesterday, the Information Commissioner’s Office (ICO) announced. This Code applies to social media platforms, streaming services, connected toys and all other services that process children’s data. Such organisations now have twelve months to get their services and products up to code or face audits, assessments, or fines up to 4% of global turnover or £17 million, whichever is higher.
The ICO had published the Children’s Code, formally called the Age Appropriate Design Code, in January. The code covers all services that design, develop or provide online services that are likely to be accessed by children and which process their data. Children are defined as people up to the age of 18 years.
To adhere with the code, services will have to automatically, or by design, provide children with a “built-in baseline of data protection” as per 15 standards which include:
- Setting privacy settings to high by default
- Not using nudge techniques to cajole children into weakening their privacy settings
- Switching off location data by default
- Minimising data collection and sharing
- Not profiling children to serve them targeted content
- Establishing age with a level of certainty so that the Code can be applied only to users who are under 18 years, or, if age verification mechanisms cannot be developed, applying the standards of this code to all users
What will happen in this transition period? During these twelve months, organisations can get in touch with the ICO to understand the code, and the office will develop a package to help them adapt their online products and services before September 2, 2021. This month, ICO is conducting webinars to advise members of trade associations in the gaming, video streaming, social media and connected toy sectors.
Will all online services be equally affected? No. Services such as apps, connected toys, social media platforms, online games, educational websites and streaming services that use, analyse and profile children’s data, are likely to have to do more to conform to the code.
- The code will continue to apply post-Brexit. After Brexit, it will apply to services established in the European Economic Area (EEA) the same way as it applies to services outside it.
ICO is inviting organisations to participate in its regulatory sandbox. The regulatory sandbox is open to organisations that are looking at issues raised by the implementation of the Children’s Code, or those that are looking at data sharing in public interest.
Indian Data Protection Bill has something similar, but not quite
India’s Personal Data Protection Bill, 2019, has a similar concept of what it calls guardian data fiduciaries. These are data fiduciaries that “operate commercial websites or online services directed at children” or “process large volumes of personal data of children”. Such fiduciaries are prohibited from profiling, tracking, doing behavioural monitoring, or targeting advertisements at children. However, the bill does not define any penalties for violating guardian data fiduciaries that violate these standards.
Similarly, the bill also states that a child’s age must be verified before their data is processed and consent must be sought from their parent or guardian. The details of the age-verification mechanism have been left up to the Data Protection Authority to define once the bill is enacted. Unlike the British Children’s Code, that defined a transition period when it was finalised in January, the Indian equivalent has no transition period defined for any of its sections.