ICO Releases a Code of Practice for Age Appropriate Design on Online Services

The ICO notes that its Code reflects the “global direction” of reforms in the US, Europe, and globally by the Organization for Economic Co-operation and Development. Given this, and as more and more children and young people are spending time online due to COVID-19, all businesses may benefit from reviewing this Code and implementing its requirements.

Fifteen Framework Standards

As an overview, there are fifteen general standards that create the framework for the Code. The standard for “connected toys and devices” is further discussed below.

1. Best interests of the child
2. Data protection impact assessments
3. Age appropriate application
4. Transparency
5. Detrimental use of data
6. Policies and community standards
7. Default settings
8. Data minimization
9. Data sharing
10. Geolocation
11. Parental controls
12. Profiling
13. Nudge techniques
14. Connected toys and devices
15. Online tools

Connected Toys and Devices

To further explain and provide an example of the Code, we take the ICO’s standard on connected toys and devices given the influx of internet-connected devices within the internet of things (IoT). Increasingly, children’s toys and devices are connected via Bluetooth, cameras, and recording devices. For example, a talking teddy bear that records what children say and answers with personalized responses is a part of the IoT realm. These toys and devices are often used by young children without adult supervision.

In the context of IoT product design, which often does not include a typical computer screen, delivering disclosures transparently may be difficult. With this in mind, businesses should provide clear information at the point of sale and prior to device set-up, both on the packaging and in the product leaflet to offer adequate notice.

In providing notice and setting up the business, it is important for businesses to do a few things. First, businesses must be clear about who is processing the data. For example, if the business that manufactures the physical product also handles the online functionality that supports it, then this requirement is more straightforward. However, there are frequent partnerships where manufacturers outsource the connected element of the device. The entities processing the personal data and their responsibilities must be clear to the user.

Second, companies are responsible for ensuring adequate security to prevent hacking and unauthorized access to the data that the toy or device collects. This is particularly important for sensitive data, such as geolocation tracking.

Third, in the product design, businesses should implement features that make it clear to the parent or children when the toy or device is collecting personal data. For example, ensure there is a light that turns on when the device is recording audio, filming, or collecting personal data in another way.

Lastly, though the Code contains principles and general guidance, it also includes particular examples and more direct implementation suggestions that provide further clarity on when the Code applies, and how businesses can incorporate the requirements.

Designing for Children’s Protection Online

Companies with online services for children and those developing new services will benefit from reviewing the Code principles. Businesses offering online services in the United Kingdom, in particular, will want to particularly ensure that they are in compliance by September 2021, as ICO has indicated it will enforce the Code with its powers, including warnings and reprimands, injunctions, and/or fines.

More information and the Code itself can be found on the ICO’s website here.