Children's Code

The Age appropriate design code, also known as the Children's Code, is a British internet safety and privacy code of practice created by the Information Commissioner's Office (ICO). The draft Code was published in April 2019,^[1][2] as instructed by the Data Protection Act 2018 (DPA).^[3] The final regulations were published on 27 January 2020 and took effect 2 September 2020, with a one-year grace period before the beginning of enforcement.^[4][5] The Children's Code is written to be consistent with GDPR and the DPA, meaning that compliance with the Code is enforceable under the latter.^[1][2]

It applies to any internet-connected product or service that is likely to be accessed by a person under the age of 18. It requires online services to be designed in the "best interests" of children and their health, safety, and privacy, requiring that they be afforded with the strongest privacy settings by default, that only data strictly necessary to deliver individual service elements is collected from children unless there is justification, and that children's personal data not be disclosed to third-parties unless there is justification. It also requires privacy policies and controls to be presented in a manner that is clear and accessible to children, including prohibiting dark patterns.

History

Baroness Beeban Kidron sponsored the amendment to the DPA that mandated the development of the Code.^[6] Upon the implementation of the Code in 2021, she explained that "[the Code] shows tech companies are not exempt. This exceptionalism that has defined the last decade, that they are different, just disappears in a puff of smoke when you say, 'actually, this is business.' And business has to be safe, equitable, run along rules that at a minimum protect vulnerable users.^[7]

Contents

The Children's Code is a code of practice enforceable under the Data Protection Act 2018, and is consistent with GDPR and the Convention on the Rights of the Child. It specifies design standards for any information society services (ISS, which includes websites, software and apps, and connected toys) that are likely to be used by a person under the age of 18 and is based in or serves users within the United Kingdom.^[3][8]

The Code requires that services be designed in "the best interests" of children, including their physical and mental health, protecting them from being exploited commercially or sexually, and acknowledging parents and caregivers' roles in protecting and supporting their child's best interests.^[3]

The Code specifies that when used by a child, online services must use their highest privacy settings by default, unless there is a compelling reason to do so while keeping into account the best interests of the child. This includes not allowing access to data by other users, location tracking, or behavioural profiling (such as algorithmic curation and targeted advertising, or using data "in a way that incentivises children to stay engaged").^[3] The amount of data collected from children must be minimized, only collecting data that is strictly necessary to deliver service elements that a child is "actively and knowingly engaged" in. A service may not disclose a child's personal data to a third party without a compelling reason to do so.^[3]

Services must present their privacy policy, privacy options, and data export and erasure tools in clear and age-appropriate means. They must not use dark patterns to nudge children toward options that reduce their privacy.^[3] The Code recommends that privacy settings and tools be tailored to the needs of specific age groups.^[3] Per GDPR, a user must be at least 13 years old to give verifiable consent to data processing; verifiable consent must be given by the child's parent or custodian.^[9][10]

Impact

Social media services adjusted their services to comply with the Code; on Instagram, all accounts created by under-18s began to be marked as private by default, and adults may not direct message them unless they are followers. TikTok stated that it will not send push notifications to children during the evening and nighttime hours, while YouTube stated that it would treat all videos "made for kids" (a designation introduced in 2020 following a ruling and fine under the U.S. Children's Online Privacy Protection Act)^[11][12] under the assumption they were being viewed by a child, including disabling autoplay, personalization, targeted advertising, and social features.^[13][14][12]

In March 2023, a complaint was filed against YouTube alleging violations of the Code, as the service can track children via devices shared by multiple users.^[15]

The code was adapted by the U.S. state of California as AB 2273, The California Age-Appropriate Design Code Act, and passed in August 2022. Kidron's charity 5Rights Foundation was credited as a supporter and "co-source" of the bill. In September 2023, the bill was ruled unconstitutional by Federal Judge Beth Labson Freeman as a violation of the First Amendment.^[16][17][18]

See also

• Advertising to children
• Online Safety Bill

References

1. "Under-18s face 'like' and 'streaks' limits". BBC News. 15 April 2019. Retrieved 15 April 2019.
2. Greenfield, Patrick (15 April 2019). "Facebook urged to disable 'like' feature for child users". The Guardian. ISSN 0261-3077. Retrieved 15 April 2019.
3. "ICO's 'Children's Code' applies from today – what you need to know". Eversheds Sutherland. Retrieved 2023-04-09.
4. Lomas, Natasha (2020-01-22). "UK watchdog sets out 'age appropriate' design code for online services to keep kids' privacy safe". TechCrunch. Retrieved 2023-04-09.
5. Lomas, Natasha (2021-09-01). "UK now expects compliance with children's privacy design code". TechCrunch. Retrieved 2023-04-09.
6. Tait, Amelia (2021-09-19). "Beeban Kidron v Silicon Valley: one woman's fight to protect children online". The Observer. ISSN 0029-7712. Retrieved 2024-02-16.
7. Hern, Alex (2021-09-02). "UK children's digital privacy code comes into effect". The Guardian. ISSN 0261-3077. Retrieved 2024-02-16.
8. Jane Wakefield (1 September 2021), Children's internet code: What is it and how will it work?, BBC News
9. "Age of consent in the GDPR: updated mapping". iapp.org. Archived from the original on 27 May 2018. Retrieved 26 May 2018.
10. "How the Proposed EU Data Protection Regulation Is Creating a Ripple Effect Worldwide". Judy Schmitt, Florian Stahl. 11 October 2012. Retrieved 3 January 2013.
11. Kelly, Makena (December 11, 2019). "YouTube calls for 'more clarity' on the FTC's child privacy rules". The Verge. Retrieved December 11, 2019.
12. Matthews, David (January 6, 2020). "YouTube rolls out new controls aimed at controlling children's content". TechSpot. Retrieved January 9, 2020.
13. "YouTube accused of collecting UK children's data". BBC News. 2023-03-01. Retrieved 2023-04-09.
14. "Children's internet code: What is it and how will it work?". BBC News. 2021-09-01. Retrieved 2023-04-09.
15. "YouTube accused of collecting UK children's data". BBC News. 2023-03-01. Retrieved 2023-04-10.
16. Masnick, Mike (2022-08-25). "Why Is A British Baroness Drafting California Censorship Laws?". Techdirt. Retrieved 2024-02-16.
17. Robertson, Adi (2022-08-30). "California passes sweeping online safety rules for kids". The Verge. Retrieved 2024-02-16.
18. Masnick, Mike (2023-09-19). "Court Says California's Age Appropriate Design Code Is Unconstitutional (Just As We Warned)". Techdirt. Retrieved 2024-02-16.