‘Plenty still to be done’ as deadline looms for new child privacy protections
2 March 2021, 11:34
Businesses that provide online services to children have six months left to implement the ICO’s Age Appropriate Design Code.
Tech firms have been warned by the Information Commissioner that there is “plenty still to be done” in preparation for new child privacy protection measures which come into force in six months.
The Age Appropriate Design Code sets out 15 standards that companies must build into any online services used by children, making data protection of young people a priority from the design up.
These can stretch from apps and connected toys, to social media sites and online games, and even educational websites and streaming services.
Three quarters of businesses are aware of the code, according to a survey of 500 services and businesses by the Information Commissioner’s Office (ICO), but initial analysis suggests some are still in the preparation stages.
NEW: It's six months until the Children’s Code comes into force. If you’re in scope, you need to get ready now so you’re compliant with the law by 2 September. A good place to start is our Children’s Code hub, which has advice and guidance. Find it here: https://t.co/nDoPz867DH pic.twitter.com/NYhFdif6CP
— ICO – Information Commissioner's Office (@ICOnews) March 2, 2021
Information Commissioner Elizabeth Denham will highlight the importance of the code when addressing the Oxford Internet Institute on Wednesday.
“This week marks six months until the code is fully in place, and there is plenty still to be done, both by my office in supporting organisations, and in businesses stepping up to make the necessary changes,” she will say.
“But that work will be worthwhile. The code is an important piece of work in protecting children.
“In the coming decade, I believe children’s codes will be adopted by a great number of jurisdictions and we will look back and find it astonishing that there was ever a time that children did not have these mandated protections.
“There is a more fundamental point here too: if we have a generation who grow up seeing digital services misuse their personal data, what does that do to their trust in innovation in the future?”
Organisations that fail to follow the code after the transition period ends on September 2 2021 could face enforcement action by the data regulator, which include compulsory audits, orders to stop processing and fines of up to 4% of global turnover.
Under the rules, privacy settings must be set to high by default and nudge techniques should not be used to encourage children to weaken their settings, the code states.
Location settings that allow the world to see where a child is should also be switched off by default.
Data collection and sharing should be minimised, and profiling that can allow children to be served up targeted content should be switched off by default too.
Emily Keaney, the ICO’s director of regulatory strategy, said: “The Children’s Code plays a vital role in protecting children online.
“Businesses need to turn their awareness into action. If they haven’t already, services affected must take action now if they are to meet the September 2021 deadline.”
