The ICO’s Age Appropriate Design Code: Uses Detrimental to Children
This post discusses Standards 4, 8, 9, 11, and 12 of the draft Age Appropriate Design: A Code of Practice for Online Services published by the UK’s Information Commissioner’s Office’s (ICO), which Standards prohibit the detrimental use of children’s data.
Standard 4 would establish a general rule prohibiting the use of children’s personal data “in ways that have been shown to be detrimental to their wellbeing [or have been formally identified as requiring further research or evidence], or that go against industry codes of practice, other regulatory provisions, or Government advise.” The Code specifically calls for caution when profiling children, including making inferences based on their personal data; advertising or marketing to children; processing their geo-location data; sharing their personal data; and using “nudge techniques.”
Standard 11 would require profiling to be turned off by default unless a provider, taking into account the best interests of the children, could demonstrate a compelling reason to profile. If profiling were turned on, appropriate measures would be required to protect children from any harmful effects. In addition, age appropriate information would be required at the point of turning profiling on to tell children what will happen to their personal data and to disclose any inherent risks. Age appropriate prompts to seek assistance from an adult are also recommended. Bundling notices and consent would not be permitted. Providers would be required to give separate privacy settings for each different type of profiling.
Marketing and Advertising
With regard to marketing and behavioral advertising, Standards 4 and 11 of the Code point to guidance published by the UK’s Committee of Advertising Practice.
Standard 9 of the Code would require providers to switch off geolocation options by default unless a provider, taking into account the best interests of the children, could demonstrate a compelling reason to collect geolocation data. (Geolocation data is defined to include GPS data and data about connections with local WiFi equipment.) If a provider were able to demonstrate a compelling reason, it would be required to provide notice to children at the time of signup, as well as an “obvious sign” when geolocation collection is active. Moreover, the ICO recommends prompting children to speak with a trusted adult about the collection of geolocation data.
Standard 8 would prohibit sharing children’s personal data unless the provider were able to demonstrate a compelling reason to do so, which is both “fair” to and in the “best interests” of the child. This includes disclosing data to third parties, as well as to sharing data within and between the different parts of an organization (e.g., with affiliates). Selling children’s data for commercial re-use is unlikely to satisfy the “compelling reason” standard.
When providers do share children’s personal data, they would be required to obtain assurances from whoever they share the personal data with that it will not be used in any ways shown to be detrimental to the wellbeing of children. Due diligence checks as to the adequacy of data protection practices and further distribution of data would be recommended.
Standards 4 and 12 address the use of so-called “nudge techniques.” The Code would prohibit the use of children’s personal data to support “strategies used to extend user engagement” or “sticky features,” which include reward loops, continuous scrolling, notifications and auto-play features that encourage users to continue playing a game, watching video content or otherwise staying online. Moreover, the Code would prohibit the use of such techniques to encourage children to provide unnecessary personal data or to turn off privacy protections.