If you offer online products and services that are likely to be accessed by children (such as online games, messaging/ video sharing apps, ecommerce used by under 18 year olds, etc) you’ll need to comply with the Age Appropriate Design Code (AADC). It came into effect in September 2020 but there is a 12 month transition period, which means you have until September this year to comply. If you don’t, there is a greater risk of being fined for non-compliance under GDPR and other related laws. Here’s what the ICO says about enforcement action it can take.
With the help of Aphaia, the data protection experts, we’ve pulled together an 8 point action list to help you get AADC compliant.
- Perform a data protection impact assessment (DPIA) to work out if the personal data you process raises any specific risks to the rights and freedoms of children who are likely to access your products/ services. This should be measured on the impact it may have on children, because of their increased vulnerability and reduced resilience, maturity, ability to understand, etc. You should be particularly careful if using children’s personal data for marketing, profiling and/or other automated decision-making. Specific risks include where they could come to physical or mental harm, access harmful or inappropriate content, encouraging excessive risk-taking or unhealthy behaviour, compulsive use, excessive screen time, undermining parental authority, etc.
- Where you are processing children’s data check the lawful bases for doing so and that you have parental permissions in place where relevant.
- Establish what age range your users fall into and tailor the protections and safeguards accordingly or apply the standards to all your users instead.
- Update your privacy policy and other published terms, policies and community standards so that they are concise, prominent and in clear language suited to the age of the child likely to access the products/services. Also ,you’ll need to provide ‘bite-sized’ explanations at the point at which personal data is collected. For example, you can combine text with pictures to draw attention and address potentially shorter attention span.
- Provide ‘high privacy’ default settings and switch geo-location and profiling off by default where they’re not an indispensable part of the service.
- If you think you have compelling reasons for a different default setting, perform legitimate interest assessments e.g. in a treasure hunt app or a music streaming service.
- Provide an obvious sign to the child when they are being monitored or tracked, including using geolocation.
- Identify what personal data is required for each element of your service and give children choice over which parts of your service they wish to use.
The ICO has set up the Children’s Code Hub with more information on the AADC and resources to help with compliance – check it out here. If you have any questions or want to discuss how this code affects your business please get in touch.