Children's Code

Last updated

The Age appropriate design code, also known as the Children's Code, is a British internet safety and privacy code of practice created by the Information Commissioner's Office (ICO). The draft Code was published in April 2019, [1] [2] as instructed by the Data Protection Act 2018 (DPA). [3] The final regulations were published on 27 January 2020 and took effect 2 September 2020, with a one-year grace period before the beginning of enforcement. [4] [5] The Children's Code is written to be consistent with GDPR and the DPA, meaning that compliance with the Code is enforceable under the latter. [1] [2]

Contents

It applies to any internet-connected product or service that is likely to be accessed by a person under the age of 18. It requires online services to be designed in the "best interests" of children and their health, safety, and privacy, requiring that they be afforded with the strongest privacy settings by default, that only data strictly necessary to deliver individual service elements is collected from children unless there is justification, and that children's personal data not be disclosed to third-parties unless there is justification. It also requires privacy policies and controls to be presented in a manner that is clear and accessible to children, including prohibiting dark patterns.

History

Baroness Beeban Kidron sponsored the amendment to the DPA that mandated the development of the Code. [6] Upon the implementation of the Code in 2021, she explained that "[the Code] shows tech companies are not exempt. This exceptionalism that has defined the last decade, that they are different, just disappears in a puff of smoke when you say, 'actually, this is business.' And business has to be safe, equitable, run along rules that at a minimum protect vulnerable users. [7]

Contents

The Children's Code is a code of practice enforceable under the Data Protection Act 2018, and is consistent with GDPR and the Convention on the Rights of the Child. It specifies design standards for any information society services (ISS, which includes websites, software and apps, and connected toys) that are likely to be used by a person under the age of 18 and is based in or serves users within the United Kingdom. [3] [8]

The Code requires that services be designed in "the best interests" of children, including their physical and mental health, protecting them from being exploited commercially or sexually, and acknowledging parents and caregivers' roles in protecting and supporting their child's best interests. [3]

The Code specifies that when used by a child, online services must use their highest privacy settings by default, unless there is a compelling reason to do so while keeping into account the best interests of the child. This includes not allowing access to data by other users, location tracking, or behavioural profiling (such as algorithmic curation and targeted advertising, or using data "in a way that incentivises children to stay engaged"). [3] The amount of data collected from children must be minimized, only collecting data that is strictly necessary to deliver service elements that a child is "actively and knowingly engaged" in. A service may not disclose a child's personal data to a third party without a compelling reason to do so. [3]

Services must present their privacy policy, privacy options, and data export and erasure tools in clear and age-appropriate means. They must not use dark patterns to nudge children toward options that reduce their privacy. [3] The Code recommends that privacy settings and tools be tailored to the needs of specific age groups. [3] Per GDPR, a user must be at least 13 years old to give verifiable consent to data processing; verifiable consent must be given by the child's parent or custodian. [9] [10]

Impact

Social media services adjusted their services to comply with the Code; on Instagram, all accounts created by under-18s began to be marked as private by default, and adults may not direct message them unless they are followers. TikTok stated that it will not send push notifications to children during the evening and nighttime hours, while YouTube stated that it would treat all videos "made for kids" (a designation introduced in 2020 following a ruling and fine under the U.S. Children's Online Privacy Protection Act) [11] [12] under the assumption they were being viewed by a child, including disabling autoplay, personalization, targeted advertising, and social features. [13] [14] [12]

In March 2023, a complaint was filed against YouTube alleging violations of the Code, as the service can track children via devices shared by multiple users. [15]

The code was adapted by the U.S. state of California as AB 2273, The California Age-Appropriate Design Code Act, and passed in August 2022. Kidron's charity 5Rights Foundation was credited as a supporter and "co-source" of the bill. In September 2023, the bill was ruled unconstitutional by Federal Judge Beth Labson Freeman as a violation of the First Amendment. [16] [17] [18]

See also

Related Research Articles

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

<span class="mw-page-title-main">Information Commissioner's Office</span> Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Stream ripping is the process of saving data streams to a file. The process is sometimes referred to as destreaming.

<span class="mw-page-title-main">Beeban Kidron</span> British film director and politician (born 1961)

Beeban Tania Kidron, Baroness Kidron,, is a British politician. She is an advocate for children's rights in the digital world and has played a role in establishing standards for online safety and privacy across the world.

ePrivacy Directive

Privacy and Electronic Communications Directive2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

Zamzar is an online file converter and compressor, created by brothers Mike and Chris Whyley in England in 2006. It allows users to convert files online, without downloading a software tool, and supports over 1,200 different conversion types. Since its formation, the service has converted over 510 million files for users from 245 different countries. The service supports the conversion of documents, images, audio, video, e-Books, CAD files and compressed file formats.

<span class="mw-page-title-main">Techdirt</span> American Internet blog

Techdirt is an American Internet blog that reports on technology's legal challenges and related business and economic policy issues, in context of the digital revolution. It focuses on intellectual property, patent, information privacy and copyright reform in particular.

Privacy by design is an approach to systems engineering initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995. The privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., taking human values into account in a well-defined manner throughout the process.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

Sharenting is a portmanteau of "sharing" and "parenting" describing the practice of parents publicizing a large amount of potentially sensitive content about their children on internet platforms. While the term was coined as recently as 2010, sharenting has become an international phenomenon with widespread presence in the United States, Spain, France, and the United Kingdom. As such, sharenting has also ignited disagreement as a controversial application of social media. Detractors find that it violates child privacy and hurts a parent-child relationship. Proponents frame the practice as a natural expression of parental pride in their children and argue that critics take sharenting-related posts out of context.

<span class="mw-page-title-main">YouTube Kids</span> Family-friendly version of YouTube

YouTube Kids is a video app and website for children developed by YouTube, a subsidiary of Google. The app provides a version of the service oriented solely towards children, with curated selections of content, parental control features, and filtering of videos deemed inappropriate for viewing by children under the age of 13, in accordance with the Children's Online Privacy Protection Act, which prohibits the regular YouTube app from profiling children under the age of 13 for advertising purposes.

A dark pattern is "a user interface that has been carefully crafted to trick users into doing things, such as buying overpriced insurance with their purchase or signing up for recurring bills". User experience designer Harry Brignull coined the neologism on 28 July 2010 with the registration of darkpatterns.org, a "pattern library with the specific goal of naming and shaming deceptive user interfaces".

<span class="mw-page-title-main">NOYB</span> European data protection advocacy group

NOYB – European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general. The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members. Currently, NOYB is financed by more than 4,400 supporting members.

The General Data Protection Regulation (GDPR) is a European Union regulation that specifies standards for data protection and electronic privacy in the European Economic Area, and the rights of European citizens to control the processing and distribution of personally-identifiable information.

<span class="mw-page-title-main">Digital Services Act</span> European Union regulation on digital services content

The Digital Services Act Regulation 2022 (EU) 2022/2065 ("DSA") is a regulation in EU law to update the Electronic Commerce Directive 2000 regarding illegal content, transparent advertising, and disinformation. It was submitted along with the Digital Markets Act (DMA) by the European Commission to the European Parliament and the Council on 15 December 2020. The DSA was prepared by the Executive Vice President of the European Commission for A Europe Fit for the Digital Age Margrethe Vestager and by the European Commissioner for Internal Market Thierry Breton, as members of the Von der Leyen Commission.

Since its founding in 2005, the American video-sharing website YouTube has been faced with a growing number of privacy issues, including allegations that it allows users to upload unauthorized copyrighted material and allows personal information from young children to be collected without their parents' consent.


The EU Cloud Code of Conduct is a transnational Code of Conduct pursuant Article 40 of the European General Data Protection Regulation (GDPR).

<span class="mw-page-title-main">Texas House Bill 20</span>

An Act Relating to censorship of or certain other interference with digital expression, including expression on social media platforms or through electronic mail messages, also known as Texas House Bill 20 (HB20), is a Texas anti-deplatforming law enacted on September 9, 2021.

References

  1. 1 2 "Under-18s face 'like' and 'streaks' limits". BBC News . 15 April 2019. Retrieved 15 April 2019.
  2. 1 2 Greenfield, Patrick (15 April 2019). "Facebook urged to disable 'like' feature for child users". The Guardian. ISSN   0261-3077 . Retrieved 15 April 2019.
  3. 1 2 3 4 5 6 7 "ICO's 'Children's Code' applies from today – what you need to know". Eversheds Sutherland. Retrieved 2023-04-09.
  4. Lomas, Natasha (2020-01-22). "UK watchdog sets out 'age appropriate' design code for online services to keep kids' privacy safe". TechCrunch. Retrieved 2023-04-09.
  5. Lomas, Natasha (2021-09-01). "UK now expects compliance with children's privacy design code". TechCrunch. Retrieved 2023-04-09.
  6. Tait, Amelia (2021-09-19). "Beeban Kidron v Silicon Valley: one woman's fight to protect children online". The Observer. ISSN   0029-7712 . Retrieved 2024-02-16.
  7. Hern, Alex (2021-09-02). "UK children's digital privacy code comes into effect". The Guardian. ISSN   0261-3077 . Retrieved 2024-02-16.
  8. Jane Wakefield (1 September 2021), Children's internet code: What is it and how will it work?, BBC News
  9. "Age of consent in the GDPR: updated mapping". iapp.org. Archived from the original on 27 May 2018. Retrieved 26 May 2018.
  10. "How the Proposed EU Data Protection Regulation Is Creating a Ripple Effect Worldwide". Judy Schmitt, Florian Stahl. 11 October 2012. Retrieved 3 January 2013.
  11. Kelly, Makena (December 11, 2019). "YouTube calls for 'more clarity' on the FTC's child privacy rules". The Verge. Retrieved December 11, 2019.
  12. 1 2 Matthews, David (January 6, 2020). "YouTube rolls out new controls aimed at controlling children's content". TechSpot. Retrieved January 9, 2020.
  13. "YouTube accused of collecting UK children's data". BBC News. 2023-03-01. Retrieved 2023-04-09.
  14. "Children's internet code: What is it and how will it work?". BBC News. 2021-09-01. Retrieved 2023-04-09.
  15. "YouTube accused of collecting UK children's data". BBC News. 2023-03-01. Retrieved 2023-04-10.
  16. Masnick, Mike (2022-08-25). "Why Is A British Baroness Drafting California Censorship Laws?". Techdirt. Retrieved 2024-02-16.
  17. Robertson, Adi (2022-08-30). "California passes sweeping online safety rules for kids". The Verge. Retrieved 2024-02-16.
  18. Masnick, Mike (2023-09-19). "Court Says California's Age Appropriate Design Code Is Unconstitutional (Just As We Warned)". Techdirt. Retrieved 2024-02-16.