Online service providers, app developers and other relevant businesses have one year to comply with a new statutory code introduced on Wednesday to help protect children’s privacy.
The Age Appropriate Design Code or Children’s Code will apply to any business providing “online services and products” likely to be used by UK youngsters under 18, according to the Information Commissioner’s Office (ICO).
Following the GDPR-enshrined principle of “security by design,” the code will outline 15 standards for developers of online services so that its users have a “built-in baseline of data protection” when they visit a website or open an app.
“A generation from now we will all be astonished that there was ever a time when there wasn’t specific regulation to protect kids online. It will be as normal as putting on a seatbelt,” argued information commissioner, Elizabeth Denham.
“This code makes clear that kids are not like adults online, and their data needs greater protections. We want children to be online, learning and playing and experiencing the world, but with the right protections in place.”
Among the requirements are that geolocation is switched off by default, only a bare minimum of data is collected on children using such services, and that it is never shared unless there’s a compelling reason to do so.
Maximum GDPR fines of up to 4% of global annual turnover could theoretically be levied if firms break the code.
However, it is risk-based, which means certain organizations will have more to do than others. The ICO said those involved in developing and providing apps, connected toys, social media platforms, online games, educational websites and streaming services that use, analyze and profile children’s data will be most affected by the new rules.
The ICO is inviting feedback to help it tailor support as organizations adapt their products before the September 2, 2021 deadline.
Concerns over the online privacy of children have also surfaced in the US, where Google and YouTube last year agreed to pay $170m to settle a case brought by the FTC and New York Attorney General alleging they illegally harvested personal data on children.