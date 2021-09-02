



In the UK, the 12-month grace period for complying with the Design Code to protect children online expires today. under the age of 18) must adhere to a set of standards to protect children from being tracked and profiled.

The age-appropriate design code came into effect on 2 September last year, but the UK data protection watchdog ICO allows a maximum grace period for compliance, giving organizations time to adjust their services.

However, starting today, we expect the code’s standards to be met.

Services covered by the code may include connected toys, games and educational technology, as well as online retail and for-profit online services such as social media and video sharing platforms.

Among the provisions of the code is that if the user is a child (or if it is suspected of being a child), the setting should have a “higher privacy” level applied by default. This includes specific provisions that geolocation and profiling should be turned off by default. convincing justification for the hostile basis of such privacy).

The code also instructs app creators to provide parental controls while also providing age-appropriate information about these tools to their children. That is, a warning to parental tracking tools that the child can use to silently/invisibly monitor the child without being aware of the active tracking.

Another standard is aimed at dark pattern designs. It warns app creators not to use “nudge techniques” that pressure children to “give them personal data they don’t need, or to weaken or turn off privacy features.”

The full code contains 15 standards, but by itself is not included in the law. Rather, an ICO is a set of design recommendations that app creators want to follow.

The regulatory stick that makes them do so is that watchdogs are explicitly linking compliance with children’s privacy standards to passing convocation, along with the broader data protection requirements contained in UK law.

Therefore, the risk of apps ignoring the standards can catch the attention of watchers through complaints or proactive investigations, and there is the possibility of a broader ICO audit examining their entire approach to privacy and data protection.

The ICO stated in its guidelines: “Through a series of proactive audits, we will monitor compliance with this Code, consider complaints and take appropriate steps to enforce basic data protection standards in accordance with applicable laws and regulatory action policies. will,” he writes. on the website. “To ensure proportional and effective regulation, we will target the most important powers, focusing on organizations and individuals suspected of repeated or willful misconduct or serious failure to comply with the law.”

Continuing to warn that children’s lack of compliance with the Privacy Code will be regarded as a potential black mark for (enforceable) UK data protection laws, it adds: “If you do not follow this code, will your processing be fair and GDPR compliant? [General Data Protection Regulation] or PECR [Privacy and Electronics Communications Regulation].”

Last week Stephen Bonner, director of regulatory futures and innovation for ICOs, warned app makers in a blog post: Services are designed according to code. We will identify areas in which we have the authority to investigate or audit the organization if we need to provide assistance or the circumstances require it.”

“We’ve seen that some of the biggest risks right now come from social media platforms, video and music streaming sites, and video game platforms,” ​​he said. “Children’s personal data is used and shared in this area to provide content and personalized service features. This may include inappropriate advertising. unsolicited messages and friend requests; And the privacy-invading nudge urges kids to stay online. We were concerned about the physical, emotional, psychological and financial harm that could occur as a result of the use of this data.”

“Children’s rights must be respected and we expect organizations to demonstrate that the best interests of children are their primary concern. This Code provides clarity on how organizations may use children’s data under the law, and we want to see organizations committed to protecting children through the design and development of services in accordance with the Code,” Bonner added.

The executive powers of ICOs are quite broad, at least on paper. For example, GDPR allows infringers to be fined up to 17.5 million people or 4% of annual global sales, whichever is higher.

Watchers can also issue orders prohibiting data processing or requiring changes to services that are deemed non-compliant. Therefore, apps that choose to ignore design codes for children are at risk of breaking the rules or even more.

In recent months, with Instagram, YouTube and TikTok all announcing changes to how they handle minors’ data and account settings before September 2nd, there are signs that some major platforms are mindful of ICO compliance deadlines. appeared.

In July, Instagram announced that it would default to teens as personal accounts. This is what the platform does for those under the age of 18 in certain countries, including the UK. Then, in August, Google announced similar changes to accounts on YouTube, a video charging platform.

In a few days, TikTok said it will add more privacy features for teenagers. There were also initial changes to limit the privacy defaults for under 18s.

Apple has also been in the hot water with the digital rights community after recently announcing features focused on child safety, including a Child Sexual Abuse Material (CSAM) detection tool that scans photo uploads to iCloud. An opt-in parental control feature that allows iCloud family account users to turn on warnings related to viewing of obscene images by minors using the Messages app.

The unifying theme that underpins all of these mainstream platform product coordination is clearly “child protection”.

And while there is growing interest in online child safety and the nefarious ways some apps misuse child data in the US, there are several public investigations in Europe (eg committee investigations into TikTok, complaint handling). The UK could make a huge impact here, given their joint efforts to pioneer age-focused design standards.

The code is also combined with UK law set to impose a “duty of care” on the platform in order to take a broader safety priority for users, with a great focus on children as well. For all children, not just children under the age of 13, for example COPPA in the United States).

In a blog post before the compliance deadline expired, ICO’s Bonner wrote about the “significant changes” that platforms like Facebook, Google, Instagram and TikTok have made in recent months: Kinds are also having a global impact. U.S. Senators and members of Congress have urged major U.S. tech and gaming companies to voluntarily adopt standards for ICO codes for U.S. children.”

He also said: “The Irish Data Protection Commission is preparing to introduce Children Fundamentals for the protection of online children that are closely aligned with the Code and follow similar core principles”.

And the EU has other examples. CNIL, a French data watchdog, appears to have been inspired by the approach of ICOs. In June, it issued its own child-safety-focused recommendations (for example, app makers added parental controls with a clear warning that these tools should “respect children’s privacy and best interests”). do.

The UK’s focus on online child safety is not only making waves abroad, but also sparking growth in the domestic compliance services industry.

For example, last month the ICO announced its first clutch of GDPR-certified scheme standards, including two schemes focused on age-appropriate design codes. Expect more.

Bonner’s blog post also notes that Watchdog will officially announce its stance on age guarantees this fall. Therefore, we will provide further adjustments to organizations in the scope of the code on how to address this tricky issue. The requirements that ICOs will support are difficult, as Bonner suggests that you can actually “validate an age or an estimate of age”. Watch that space. Whatever your recommendations, age-assured services start with a sales presentation focused on compliance.

Child safety online has been a major focus of UK policy makers in recent years, but the broader and longer ongoing online safety (ne Harms) legislation remains in the drafting stage.

Early attempts by UK legislators to introduce mandatory age verification to prevent children from accessing adult content websites dating back to the Digital Economy Act of 2017 would be an impractical and enormous privacy risk to adult users. It was canceled in 2019 after widespread criticism that it of porn.

However, the government has not dampened its will to find ways to regulate online services in the name of child safety. And online age verification checks appear to be increasingly being introduced by backdoors through some sort of “recommended feature” creep (as ORG warns) as a hardened requirement, though not a comprehensive requirement for all digital services.

Current recommendations for age-appropriate design codes suggest that app creators “use a risk-based approach to recognize the age of individual users and ensure that the standards of this code are effectively applied to young users.” . Instead, apply to all users a level of certainty appropriate to the risk to the rights and freedoms of children arising from the processing of the data, or the standards of this Code.”

At the same time, the government’s widespread push for online safety risks clashing with some of the laudable goals of the ICO’s non-binding children’s privacy design code.

For example, the code contains a (welcome) proposal for digital services to collect as little information about children as possible, but in an announcement earlier this summer, British lawmakers said they would have a lot to say about social media platforms and messaging services ahead of their planned online safety legislation. guidelines have been provided. — We recommend that you do not allow children to use end-to-end encryption.

like; The government’s advice to data mining platforms (which they suggest will help prepare them for the requirements of the new legislation) is not to use the “golden standard” security and privacy (E2E encryption) for children.

So, it appears that the UK government’s official message to app makers is calling for more access to children’s information in the name of keeping children “safe” by law, in the near term. This is quite contradictory compared to pushing data minimization to the design code.

The risk may be blurred and complicated by misguided policies that force platforms to monitor children for “protection” from a variety of online harm, whether the heightened spotlight on children’s privacy is adult content or posts supporting suicide. that there is. , or cyberbullying and CSAM.

The law is likely to encourage platforms to “show in action” to prove compliance. This can lead to closer tracking of children’s activities, data retention, and profiling and age-verifying screening (which may even be a risk). all users; Think of a big hammer to break a nut). In a word, privacy dystopia.

These mixed messages and decoupled policy decisions make the requirements for digital services operating in the UK increasingly confusing and even conflicting, making technology companies legally responsible for demonstrating clarity amid policy turmoil, while at the same time making huge You run the risk of being fined. The balance is wrong.

So, complying with the design standards of an ICO is actually easy.

