The Information Commissioner’s Office (ICO) in the U.K. has just proposed a new “code of practice for online services” aimed at protecting children’s privacy. These rules include banning information society service providers from using “nudge techniques,” which would include “likes” on Facebook and Instagram and “streaks” on Snapchat.
“In an age when children learn how to use a tablet before they can ride a bike, making sure they have the freedom to play, learn and explore in the digital world is of paramount importance,” said Information Commissioner Elizabeth Denham CBE in a statement. “Today we’re setting out the standards expected of those responsible for designing, developing or providing online services likely to be accessed by children, when they process their personal data.”
What Are the Other Regulations?
The ICO is an independent body that reports to Parliament and helps protect people’s information. The prohibition against nudge techniques is merely one of 16 rules the ICO’s new code outlines and expands on, which can be briefly summarized as follows:
- The best interests of children should be an ISS developer’s primary concern.
- Developers should apply the proposed code in an age-appropriate way.
- Developers must be transparent about how they’re using data and explain their methods in a way children can understand.
- Developers cannot use data in a way that harms children or goes against “industry codes of practice, other regulatory provisions or Government advice.”
- Developers must uphold their own standards.
- Unless there’s a good reason for doing otherwise, settings should default to the greatest degree of privacy.
- Developers should collect the least possible amount of data.
- Developers must not disclose children’s data without good reason.
- Geolocating must be turned off by default.
- Children should know when someone is monitoring them through parental controls.
- Profiling should be turned off by default and only used for children’s protection.
- No nudge techniques are allowed, unless they encourage children toward privacy. Nudge techniques include anything that encourages children to spend more time using a service.
- Connected toys and devices must comply with the code.
- Developers need to provide online tools children can use to protect their data.
- Developers must take data protection impact assessments (DPIA) to evaluate how well they’re complying with the code.
- Policies must be set that ensure developers follow the code.
Our Age Appropriate Design Code is the first of its kind in the world. We want online service providers in no doubt of what is expected of them when protecting children’s personal data.
— ICO (@ICOnews) April 15, 2019
The code applies to organizations based in the U.K. and to companies that operate within the U.K while being based outside of it. Failure to comply with these rules could have a number of consequences, including warnings and fines. The most severe penalty for failing to comply with the code is a fine of either 20 million euros or 4 percent of a company’s global revenue, depending on which amount is higher. As the AP points out, for some organizations this could mean shelling out billions of dollars.
Denham says her office is now collecting feedback on the code until May 31st and expects it to go into effect by the end of the year.