By Tony Allen, founder and CEO of ACCS, the independent third party certification scheme for providers of age-restricted goods, content and services.
With stories about misuse of online data rife at the moment, there’s no doubt in anyone’s mind how necessary it was to introduce the Age Appropriate Design Code (AADC) last year. For those that aren’t sure, the AADC is a statutory code of practice, prepared by the ICO (Information Commissioner's Office), designed to address the handling of children's personal data online.
The Code ensures children’s data is protected when they are using games, apps, connected toys and programmes as well as search engines, social media platforms and websites offering goods or services over the internet. Before its introduction, nothing was stopping organisations from storing children’s data and using it to shape content they would be more likely to be influenced by and engage with.
The AADC came into force on 2nd September 2020 and has a 12-month transitional phase, meaning those organisations that it applies to must conform by 2nd September 2021 – a mere six months away! If you are confused as to whether the changes apply to your business, the ICO has stated that if anyone under the age of 18 is likely to access your online products or services, you must review your policy.
Why the code is so important right now
As one of the most vulnerable groups in society, it’s important that children are protected against any potential persuasive or damaging content. We know that many parents are concerned about their children online. Echoing this, we recently commissioned some research and found 56% of parents with children under the age of 16 are concerned that tech companies have access to too much of their children’s personal data. Furthermore, 56% are worried about the amount of time their child spends online, a statistic only heightened by the Coronavirus pandemic, with 72% admitting that recent lockdowns have led to a surge in their child’s screen time.
It can be daunting to know where to start in making sure your organisation complies with the AADC. Consisting of 15 standards, those with developed privacy programmes such as data minimisation and restrictions on data sharing will be familiar with some of the points included. However, it is worth studying each one as there are some significant changes included which will change the way many companies can store data and the content they can use. To help you out, we’ve pulled together some of our top tips to help you best prepare for when the Code comes into force.
Identify your audience
A good place to start is to determine your audience and the steps you have in place to identify/protect children should they visit your site. If you don't want your site to be visited by children at all, you should make sure you have elements such as neutral age-screens and cookies that show the demographic of the person visiting your site, including age. For very high-risk activity, it can be worth hiring a third-party age verification service to check ages/collect ID solely for age verification purposes. A registry of systems that we have independently certified can be found here.
Child-friendly privacy disclosures
Moving forward, child-friendly privacy disclosures should be worked into websites. Often, it can be confusing for a child to understand a privacy policy so it can be good to ask yourself, if you were a child, would you understand your privacy policy? Consider including diagrams, cartoons and eye-catching graphics, as well as bite-sized explanations, to help younger users understand what they are agreeing to. You can even include messaging asking children to read through the policy with their parents before agreeing to it, to add extra reassurance.
Switch off optional data collection/sharing settings
Another simple way to comply with the Code is to make sure all optional data collection/sharing settings are switched off by default for all under-18 users in the UK. This includes any extra analytics and personalisation features that cannot be classed as part of your organisation’s core service. To find out if a user is under 18, ask them to input their date of birth upon entering the site.
Data Protection Impact Assessment (DPIA)
The Code requires all companies to document their compliance through a Data Protection Impact Assessment (DPIA). You can find a sample DPIA template online as part of the Code. A key requirement for an effective DPIA is to make sure you are consulting with parents and children to get their feedback on how they use your services and whether they fully understand the privacy policy you have in place. This can help you shape what needs to be done to improve your current policy and it is encouraged you host regular feedback sessions as you add more features to your website to make sure they are as compliant as possible.
Certification schemes
If you think you’d benefit from professional help, we are now taking initial enquiries for certification of adherence to the Code. This should be a quick and easy process and can provide added reassurance that you are doing everything you can to be compliant under the new rules.
Whilst the Code presents a number of new challenges for organisations to overcome, now is the best time to make sure you fully understand the changes that will need to be made and how to make them so you are ready for 2nd September 2021. It can be daunting to begin with; however, complying with these rules and regulations will become even more imperative as we move towards a safer society that prioritises the protection of children online.
For further information, visit ageappropriatedesign.accscheme.com or contact mark.cooley@accscheme.com.
