United Kingdom

[GB] Age-appropriate design

IRIS 2019-7:1/20

Lorna Woods

School of Law, University of Essex

Under section 123 of the Data Protection Act, the Information Commissioner must prepare a code of practice that contains such guidance as the Commissioner considers appropriate in respect of standards regarding the age-appropriate design of relevant “information society” services that are likely to be accessed by children.

The Code must be presented to Parliament; thereafter, under section 127, it must be taken into account by the Commissioner when considering whether an online service has complied with its data-protection obligations. The Commissioner in drafting the code is required to consider the fact that children have different needs at different ages; the Commissioner must also take into account UK’s obligations under the UN Convention on the Rights of the Child (UNCRC) - including the obligation to act in the “best interests” of each child. She must consult a range of people (listed under s. 123(3)), including children, parents, child development specialists and trade associations. A draft code has been published for comment; the consultation period ended on 31 May 2019.

The draft code applies to information society services, defined as having the same meaning as in that specified in the GDPR (save that preventive or counselling services are not included), which process personal data. Given the reference to the UNCRC, the Code applies to data of children under the age of 18 (by contrast to the digital age of consent for the UK, which is 13), although the Code distinguishes between 5 different age groups. A service need not be aimed at children to be caught by the Code; if it is likely that children will use the service then the Code applies. There have been some concerns that the Code will affect news and media outlets online.

The Code identifies 16 principles which develop the basic data protection principles in the GDPR. The primary consideration, however, is the best interests of children, as understood in Article 3 of the UNCRC. Information Society service (ISS) providers may deviate from some of the principles identified where there is a compelling case but this must always be weighed against the best interests of the child and, as the draft Code makes clear, it is “unlikely… that the commercial interests of an organisation will outweigh a child’s right to privacy”. In addition, the Code identifies principles relating to: age appropriate application; transparency, (prohibition on) detrimental use of data (e.g. marketing techniques and ‘sticky’ features); policies and community standards; default settings; data minimisation; (prohibition on) data sharing; geolocation; parental controls; profiling; nudge techniques; connected toys and devices; online tools; data protection impact assessments; and governance. The defaults on services must be privacy enhancing: geolocation and profiling must be off by default. Data collection must offer choice to the user but in general should collect only those data necessary to provide the service. As regards transparency, for children the ICO requires “bite sized” notices to be provided at the point at which personal data is used and the notices must be tailored to the five age categories - that is, ‘age appropriate’. Children must also be informed as to when parental controls are active. The Code requires ISS providers not only to uphold privacy policies but also, more generally, user policies. Prominent and easy-to-use tools should be provided to help the user.