The ICO’s Children Code (a regulation with enhanced privacy protections for children) has come into force in the UK. Companies providing online services and products to children under the age of 18 have one year to improve their privacy practices or risk heavy fines from the ICO.
The statutory code which went into effect on September 2 limits the amount of data online services can collect from children. It covers all services that design, develop or provide online services that are “likely” to be accessed by children up to age 18. It is expected that the code will severely affect social media platforms such as YouTube and TikTok, connected toys, educational websites, streaming services like Netflix and gaming companies.
The code is a set of 15 standards that provides built-in protection for children. It ensures that the “best interests” of the child are considered at the designing and developing stage of online services.
A few of the standards include:
- Privacy settings set to high by default.
- Nudge techniques should not be used to encourage children to provide unnecessary personal data or turn off privacy settings.
- Provision of clear and accessible privacy information for children and parents.
- Data collection and retention kept to a minimum. Businesses should not collect more data than is needed to provide a service.
- The code also limits data sharing. Children’s data should not be shared with a third party without a compelling reason.
- Businesses should not profile children for the purpose of serving them targeted content.
- Geo-location turned off by default.
- Businesses should complete a DPIA at the early stage in the design of services. This will help to assess and mitigate risks to the rights of children that may use the service.
In summary, businesses should not use personal data in a way that is detrimental to the wellbeing of children.
Elizabeth Dunham, Information Commissioner said,
This code makes clear that kids are not like adults online, and their data needs greater protections. We want children to be online, learning and playing and experiencing the world, but with the right protections in place.
The ICO has given businesses a year to implement changes and enforcement will begin in September 2021. For organisations who breach the code, the ICO can give them a fine up to 4% of global revenue or £17 million.
A welcome development
These standards are a welcome development particularly for the social media sector where accusations of breaching data rights are rife. For example, in 2019, the FTC fined YouTube $170 million for collecting data on children without their parent’s consent. More recently, YouTube is facing a £2.5 billion lawsuit over allegations they harvest children’s data without explicit permission and sell the information to advertisers.
The Children’s Code is the first of its kind in Europe and signals strong efforts to do more to protect the data rights of children.
For support on how to implement the code in your business, get in touch with us for a consultation.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.