Security news that informs and inspires

UK Says Children’s Apps Must Have Built-in Privacy

A new statutory code limiting the amount of data online services can collect from children went into effect in the United Kingdom on Sept. 2. Developers have to make sure data protections are available by default in online applications and services used by children or face potentially high fines.

The Age Appropriate Design Code applies to any businesses providing “online services and products” likely to be used by people in the United Kingdom under 18 years of age. That includes educational websites, messaging services, community forums, social media platforms, streaming services with large audiences of children, makers of connected toys (Internet of Things toys), and game companies and platforms. The code outlines 15 standards for developers to follow so that users—children—have a certain level of privacy by default when visiting a website or opening an app.

“\K[ids] are not like adults online, and their data needs greater protection," Information Commissioner Elizabeth Denham told the BBC.

The Information Commissioner’s Office will have the power to fine violators up to 4 percent of their global revenues. Online service providers, app developers, and other relevant businesses have one year to make sure their services and applications are complying with the rules, as enforcement will begin Sept. 2, 2021. The ICO has said it has the power to take more severe actions if necessary.

"The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child," according to the code. Even if the service or device is not explicitly targeted for children, the code’s requirements apply if children are likely to use the service. This expands the type of businesses impacted by the code. For example, streaming services such as Netflix aren’t specifically for children, but provide children’s programming, making the company subject to the rules.

Another thing to consider is the fact that the Children’s Code (as it is also called) defines children as under the age of 18, not 13. This means makers of connected devices such as fitness trackers have to make sure their data policies are compliant if they want to continue selling wearables to teenagers in the UK.

Similar to Europe’s GDPR, the Age Appropriate Design Code will affect businesses outside of the United Kingdom. The code is very clear that it applies to any business with users who are children in the United Kingdom—and in this interconnected world that means any company with any kind of presence in the UK.

Concerns about children’s privacy isn’t just limited to that side of the Atlantic Ocean. Last fall, the United States Federal Trade Commission fined YouTube $170 million for collecting data on children under the age of 13 without the consent of their parents.

The Children’s Code requires developers to take into consideration children’s best interests when designing and developing services, to refrain from using children’s data in ways that are detrimental to their well-being, and to ensure that settings default to high levels of privacy. There are a few specific requirements, such as the fact that geolocation must be switched off by default and children’s data cannot be shared unless there is a compelling reason to do so. Dark patterns in user interfaces—methods designed to trick users into making decisions they otherwise would not have (such as making the opt-out link very small and faint to see on a page)—are not allowed.

“Nudge techniques” should not be used to “lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections,” according to the code.

The ICO has said it will provide support to businesses trying to make the necessary changes to comply.

“We want children to be online, learning and playing and experiencing the world, but with the right protections in place,” Denham said in a statement. “A generation from now we will all be astonished that there was ever a time when there wasn’t specific regulation to protect kids online. It will be as normal as putting on a seatbelt.”