ICO’s Child Protection Rules Take Effect Sept. 2, 2021. Are You Ready?

The UK Information Commission’s (ICO) Children’s Code, officially known as the“Age Appropriate Design Code: a code of practice for online services,” after a year grace period, goes into effect Thursday, Sept. 2, 2021. The code, which falls under section 125(1)(b) of the UK Data Protection Act 2018 (the Act), looks to protect UK children, i.e., people under the age of eighteen (18).

Are you ready? I hope so; this code applies to any business, in and out of the UK, that provides digital services to UK children. And, it is not the only one of its kind around the world.

What You Need to Know

In the digital age, people’s digital footprint is first established months before they’re born, grows exponentially throughout their lives, and carries on after their death. Kids are especially vulnerable to being influenced by digital services; moreover, they are more likely to befall cybercrime. For instance, a 2011 study by Carnegie Mellon SyLab study found that children were 51% more likely to have their security number used by someone else.

What is it for?

The code is designed to ensure that service providers of apps, programs, toys, or any other devices that collect and process children’s data “are appropriate for use by, and meet the development needs of, children.” It calls for 15 independent and interdependent legal, service design, and data processing principles and standards to be followed. Specifically, as called out in the code, these are:

• Best interests of the child • Data protection impact assessments • Age appropriate application• Transparency • Detrimental use of data • Policies and community standard • Default settings • Data minimization • Data sharing • Geolocation • Parental controls • Profiling • Nudge techniques • Connected toys and devices • Online tools

Who must comply? Risk of non-compliance

Information society services (ISS) that cater to UK children under the age of 18 or whose services are likely to be accessed by children must adhere to the code or risk ICO public assessment and enforcement notices, warnings, reprimands, and penalty notices (aka administrative fines). Serious code breaches may lead to fines of up to €20 million (or £17.5 million when the UK GDPR comes into effect) or 4% of the provider’s annual worldwide turnover, whichever is higher.

What you need to do

Ensuring the digital future and safety of children and venerable adults (people over 18 who cannot meet their own needs or seek help without assistance) is a founding principal of a healthy society and for running a sustainable business. There are several recommended steps you can take to get into and maintain alignment with the code:

1. Consider the likelihood that a child (or vulnerable adult) might use your service, the liability is on the service provider to determine the likelihood a child will use their service. You should conduct user testing, surveys, market research (inc. competitive analysis), and professional and academic literature reviews.

2. Document your data flows (i.e. conduct a data protection impact assessment (DPIA)), your DPIA should consist of data and systems flow diagrams and detailed descriptions of these systems (inc. services, process, and interfaces), all the data flowing through them, and how data is handled. The flow diagram should illustrate each engagement swim lane (e.g., individual, client, company, third-party) and the direction of data flow. The supporting documentation should define each data element and clearly spell out how it will be collected, used and managed. Take it from me and my firsthand experience. The DPIA lens is an invaluable tool for strategic product development. I highly recommend that you not look at the DIPA process as a legal necessity but rather as a valuable framework for learning about and assessing how your products and services work, exactly what they do and why. Performed with the right lens, the DPIA can be a fertile ground for creative inspiration and innovation.

3. Make it a team sport, effective data management is a company-wide, multi-disciplinary activity. It is important that you ensure all key stakeholders, not just legal, IT, security, and compliance, but also marketing, user experience, customer experience, design, support, product, sales, and third-party compliance partners (experts that can help you and your team succeed) all play a role in ensuring your products and services do not just meet legal requirements but exceed people’s expectations.

But There Is More

The above steps are extremely useful; however, there are two more considerations that should not be neglected- 1) things are just getting started, and 2) people’s sentiment—“the opportunity to differentiate.”

First, Gartner estimates that 10% of the world’s population is currently protected under people-centric regulation, i.e. regulations like Europe’s GDPRCalifornia’s CPPABrazil’s LGPD, and China’s data production law which takes effect Nov. 1 2021. By 2023 Gartner estimate this number will rise to 65%. Moreover, keep in mind, it will not just be omnibus rules that take effect; sectoral-specific rules will apply as well. For example, in the United States, the Federal Trade Commission is reevaluating its child protection laws (COPPA) and the U.S. Department of Education Department will more than likely be updating the Family Educational Rights and Privacy Act (FERPA). Moreover, there are state-specific regulations similar to the CCPA being enacted. For Instance, in July 2021, Colorado just enacted their people-centric regulations, “Privacy Act of 2021.”

Second, globally, as evidenced by the last seven years of the MEF Global Consumer Trust studies, people are waking up to industry data practices. Simply saying they’re unhappy about them is an understatement. People are connected, they’re concerned, and they want control of their data. The problem is, they’re not exactly sure how to go about it.

There is more to win than just staying on the right side of the law. There is an opportunity for companies to go beyond the law, to recognize that digital privacy, the controls and flows of one’s personal data, should be treated as sacred as one’s physical privacy. Privacy should not be a luxury good obtained only by a select minority; it’s a human right. All three major societal constituents (individuals, private sector organizations, and public sector institutions) need to play their part. There is an opportunity for each to weigh in on this debate, especially public sector players who can differentiate themselves by actively and publicly providing people not just with the utility of the company’s service but with tools and education that help people proactively enact their data rights and to secure and gain agency over their digital footprint, not just now but throughout their entire life. Like global warming, if we each do our part, we can get data back under control and achieve a healthy equilibrium throughout the world’s markets.

Useful Resources & Tools

• ICO’s Children’s Code of 2020, legal, design, service principles and standards for protecting children’s data.• ICO DPIA Template, note: does not include flow diagrams examples, which is a miss.• UNICEP Better Business for Children, industry-specific guidance to protect children’s rights.• COPPA Safe Harbor Program, U.S. self-regulatory program for the protection of Children’s data (6 companies have been certified).• Ada for Trust, an art exhibit presented at MyData 2019 detailing 6 key “digital” life moments; • UNICEP Better Business for Children, provides guidance and tool

The MEF Personal Data & Identity (PD&I) Working Group will be holding its next meeting on Sept. 20, 2021 at 7:00 AM PDT/2:00 PM GMT. The MEF welcomes marketer leaders looking to gather insight, interact with fellow leaders, and make an impact on the industry to join the MEF and the PD&I working group’s efforts.

Tags: , , ,

Top