Strict new standards to protect children's data online

New rules are being proposed by the Information Commissioners Office (ICO) that will force social media and online companies to protect children's data.

'Age appropriate design: a code of practice for online services' has been published for consultation.

It sets out how those responsible for designing, developing or providing online services likely to be accessed by children should follow the code and demonstrate that their services use children’s data fairly and in compliance with data protection law. Those that don’t, could face enforcement action including a fine or an order to stop processing data.

Introduced by the Data Protection Act 2018, the code sets out 16 standards of age appropriate design for online services like apps, connected toys, social media platforms, online games, educational websites and streaming services, when they process children’s personal data.

It says that privacy must be built in and not bolted on.

Settings must be “high privacy” by default (unless there’s a compelling reason not to); only the minimum amount of personal data should be collected and retained; children’s data should not usually be shared; geolocation services should be switched off by default. Nudge techniques should not be used to encourage children to provide unnecessary personal data, weaken or turn off their privacy settings or keep on using the service. It also addresses issues of parental control and profiling.

The code is out for consultation until 31 May. The final version will be laid before Parliament and it is expected to come into effect before the end of the year.