The Information Commissioner announced a new 15 point Age Appropriate Design Code yesterday that app and game developers will have to submit to from Autumn 2021.
The code will legally require developers to assess their sites for sexual abuse risks and incorporate measures to ensure that users under 16 no longer see self-harm and pro-suicide content. It will also require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website.
The code sets out the standards expected of those responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services. It covers services likely to be accessed by children and which process their data.
The code includes that:
- Privacy settings should be set to high by default and nudge techniques should not be used to encourage children to weaken their settings.
- Location settings that allow the world to see where a child is should also be switched off automatically.
- Data collection and sharing should be minimised and profiling that can allow children to be served up targeted content should be switched off by default too.
The code says that the best interests of the child should be a primary consideration when designing and developing online services. And it gives practical guidance on data protection safeguards that ensure online services are appropriate for use by children.
Ms Denham, Information Commissioner, said:
“One in five internet users in the UK is a child, but they are using an internet that was not designed for them. “There are laws to protect children in the real world – film ratings, car seats, age restrictions on drinking and smoking. We need our laws to protect children in the digital world too. “In a generation from now, we will look back and find it astonishing that online services weren’t always designed with children in mind.”
The standards of the code are rooted in the General Data Protection Regulation (GDPR) and the code was introduced by the Data Protection Act 2018. The ICO submitted the code to the Secretary of State in November and it must complete a statutory process before it is laid in Parliament for approval. After that, organisations will have 12 months to update their practices before the code comes into full effect. The ICO expects this will be by autumn 2021.
Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover. Once the code is in place these will be the punitive measures attached to any breaches.