ICO publishes guidance on three standards of Children’s Code
What must organisations do, or avoid doing, to meet the “best interests of the child”, “detrimental use of data” and “data minimisation” standards of the Children’s Code?
The key takeaway
The ICO’s additional guidance should be used to ensure that organisations whose online services are likely to be accessed by children do not breach the Children’s Code and subsequently the UK General Data Protection Regulation.
The Children’s Code (the Code) is a statutory code of practice produced by the ICO. It consists of 15 “standards” which must be met by organisations providing an “information society service” (ISS) that children (under 18) in the UK are likely to access. The definition of an ISS is wide and encompasses most for-profit online services, such as apps, search engines, social media sites and content streaming services.
The ICO has provided guidance on how organisations can meet three of the Code’s standards, namely “best interests of the child”, “detrimental use of data” and “data minimisation”.
Best interests of the child
This standard requires organisations to consider children’s rights to play, to be safe from commercial exploitation, to be protected from abuse when they interact with others and to have access to a wide range of information and media. The ICO’s suggestions for meeting each of these rights are as follows:
1. The right to play:
- use data analytics to improve gameplay functions, and
- ensure that children are free to join or leave online groups.
2. The right to be safe from commercial exploitation:
- avoid default personalised targeting of service features that generate revenue
- provide transparent information around how children’s data may be monetised
- do not have personalised advertising on-by-default
- abide by the Committee of Advertising Practice standards, and
- avoid marketing age-inappropriate or fraudulent products.
3. The right to protection from abuse when interacting with others:
- avoid on-by-default data sharing with other service users
- set privacy settings to “high privacy” by default
- ensure children understand how their information is shared, and
- keep children’s personal data from falling into the wrong hands.
4. The right to have access to a wide range of information and media:
- ensure that children can find diverse, age-appropriate information, and
- avoid serving children with personalised information that is not in their best interests, such as disinformation.
Detrimental use of data
The ICO states that, to comply with this standard, organisations must conform with:
- the UK GDPR;
- industry codes of practice;
- Government advice; and
- any other regulatory provisions.
This is clearly very general advice and so organisations should look to the ICO’s more detailed guidance on this standard, located on its website.
Again, the ICO gives more detailed guidance elsewhere on its website, but its general advice to organisations is that they should:
- be clear about the purposes for which they collect personal data
- consider what personal data is needed to deliver each element of their service, and
- give children as much choice as possible over which elements of their service they wish to use and how much personal data they must provide.
Why is this important?
The Code is not a new law, but rather an add-on to the UK General Data Protection Regulation (UK GDPR) that explains how the UK GDPR applies in the context of children using digital services. As such, an organisation found to be in breach of the Code runs the risk of incurring a fine of up to £17.5m (or up to 4% of worldwide turnover), or even facing criminal prosecution. The Code also affirms the ICO’s strict approach with regard to protecting the most vulnerable of society from possible exploitation.
Any practical tips?
The Code is strict, but the ICO’s guidance is thorough. Organisations that may be providing an ISS to children should go through the guidance carefully and ensure that they comply in full. A Data Protection Impact Assessment template can be found on the ICO’s website and may prove useful in ensuring compliance.