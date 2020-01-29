As a follow-up to the European Union’s General Data Protection Regulations (GDPR), the UK’s Information Commissioner’s Office (ICO) has released Age Appropriate Design Code, a set of standards for online service providers designed to protect the privacy of kids online. Compared with our own Children’s Online Privacy Protection Act of 1998, the new UK code addresses today’s internet-driven world and is far more comprehensive in its scope. Is it time to update COPPA? Yes, and here’s why.
The UK’s Age Appropriate Design Code protects all children who have not yet reached the age of 18. Our law covers only children under the age of 13, and those five extra years are when so much bad online behavior like bullying happens. Further, that is when many kids gain their purchasing power and are easily influenced by targeted advertising, so it makes sense to do as much as possible to keep them safe during their teen years.
A second gap appears when we look at the difference in application of the two pieces of legislation. COPPA is directed toward the collection of personal data by online services such as Facebook and third party ad networks that knowingly use data from children. The UK code covers that and more, including connected toys with or without screens. It is not limited to services designed primarily for kids, but any service likely to be used by them. The ICO puts forth a compelling argument to support its new code.
“Personal data often drives the content that our children are exposed to — what they like, what they search for, when they log on and off, and even how they are feeling,” Information Commissioner Elizabeth Denham said. “In an age when children learn how to use an iPad before they ride a bike, it is right that organizations designing and developing online services do so with the best interests of children in mind. Children’s privacy must not be traded in the chase for profit.”
Companies must adhere to 15 standards to be compliant with the new code in the UK, and, similar to the GDPR and California’s new privacy law, the code applies to all companies — regardless of where they are based in the world — if they collect data from kids who live in the UK. This means that service providers and toymakers who have an international customer base will likely comply with the new code because it’s easier to apply new standards and laws across their platforms rather than market by market.
These new standards specify that settings must be “high privacy” by default, and only the minimum amount of personal data may be collected and kept. Instead of a one-size-fits-all-kids approach, the code requires companies to assess and address risks based on differing ages, capacities and development needs of their underage users. Providers are also asked to establish age with an appropriate level of certainty equal to possible risks. If they can’t do that, they must use the highest level of protection for all users.
In most cases, kids’ data should not be shared and geolocation data should be switched off by default. And if location is shared during play, the provider must use an obvious sign for children when location tracking is active, and it must be automatically turned off at the end of each session.
The code also prohibits “nudge techniques,” a relatively new practice loosely based on a theory by University of Chicago behavioral scientist Richard Thaler, that could encourage users to provide unnecessary personal data (the more data supplied, the more valuable to third party ad networks, which means providers can make more money from selling data), or turn off privacy settings altogether. Nudge techniques could include making it easier for a child to sign up for a service if he or she skips opting in to stricter privacy settings.
Lastly, the UK code includes measures around parental controls, similar to COPPA that requires parental consent prior to service access, but takes it a step further. For services that include parental controls, they must let the child know about them. If a parent or caregiver can monitor a child’s activity or track their location, they must provide an obvious sign to the child user that this is happening. The policy sets a good example of transparency cutting both ways.
Violators will face fines worth up to 4% of a company’s global revenue once the 12-month transition period comes to a close and the code takes full effect, expected in fall 2021.