Author: Aebha Curtis, Policy Analyst, TrustElevate
As of September 2nd, the ICO’s Age Appropriate by Design Code (AADC) has come into force. The Code was approved by Parliament last month and has entered a transition period of 12 months, during which time companies must adapt their practices to align with the new standards or face penalties.
At its core, the Code aims to address practices concerning data protection. Current data handling practices may pose a risk to those under 18, who were identified as “vulnerable data subjects” in the General Data Protection Regulation (GDPR) Guidelines regarding consent, produced by the European Data Protection Board. GDPR was transposed into UK law and is known as the UK Data Protection Act, 2018. In seeking to remedy common problems with the processing of children’s data, the ICO has put forward a set of 15 standards.
Of these, perhaps most significant is the requirement to ensure that the best interests of the child are the primary consideration when designing and developing online services. This is the first standard laid out and establishes children’s rights as the frame of reference for the rest of the Code.
In Section 3, which concerns Age Appropriate Application, the code asserts that service providers must “take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users.” Age assurance and verification are at the heart of the issue; if platforms do not age check their users, they cannot adhere to the Code and deliver age appropriate content and services across the board.
This constitutes a more robust articulation of GDPR’s Article 8, which requires those companies operating services being used by children to verify users’ ages and, in those cases where the user is too young (in the UK this is deemed to be children <13) to provide valid consent, acquire verifiable parental consent for processing.
The Code states,
“If you verify age and parental authority for Article 8 purposes then you need to do so in a privacy-friendly way. Collect the minimum amount of ‘hard identifiers’ (such as passport scans or credit card details).”
It also suggests the use of third-party verification suppliers operating attribute systems in compliance with DPA 2018 (adhering to principles of data minimisation, purpose limitation, etc.).
The Code is accompanied by a wave of tech innovation that is underpinned by internationally recognised digital identity standards, such as TrustElevate. These privacy-oriented tech solutions not only facilitate but also incentivise the building of products and services designed with children in mind.
TrustElevate offers such a service: a parent provides data points and grants permission for those to be verified. This facilitates the acquisition of Verified Age (VA) of the child, and Verifiable Parental Responsibility (VPR) without the need to collect and store additional information, such as scanned passports or facial recognition. Once parental responsibility has been verified, the holder can grant, deny or revoke consent on the behalf of the child.
Failure to comply with both DPA 12018 and the Code can result in a financial penalty from the ICO or an enforcement notice. It is essential, in many cases, that platforms and online service providers leverage solutions such as TrustElevate’s to fulfil their regulatory requirements or face fines of up to 4% of global annual turnover. Mitigating liability, however, should not be the only incentive for employing age verification technologies.
Companies that know the age bands of their users can enhance their services, delight their customers and foster trust throughout the digital ecosystem. Indeed, implementation of solutions like TrustElevate’s will allow a child’s best interests to be considered in light of their cognitive developmental stage, in accordance with their age-band. As a result, their needs can be best catered for in newly-secure online environments.
By providing digital platforms and businesses with users’ age-bands (without any Personal Information), TrustElevate facilitates a number of things. One, platforms and online businesses can limit interactions between users of different age-bands to proactively address online harms arising from interactions between adults and children online without oversight.
Two, it is possible to cater more specifically to children, enabling the delivery of child-friendly content to younger users who would otherwise be deterred by the lack of age-appropriate spaces on a particular platform, app or site.
Three, establishing verifiable parental responsibility builds trust between parents and platforms, facilitating the oversight that would be expected in the offline world and alleviating some of the pressures both parties currently experience as a result of internet-wide opacity regarding the age appropriateness of platforms and the content they deliver.
It is important to note that the Code is an elaboration on the existing provisions of GDPR and is not new law. Rather, it simply provides greater detail regarding the role that the ages or age bands of a service’s users play in data protection and offers greater insight into acceptable (or preferable) age verification practices.
Elizabeth Denham, the Information Commissioner, highlighted the necessity and achievability of the Code while looking forward to its impact on the digital ecosystem now and in the next generation, saying:
“When my grandchildren are grown and have children of their own, the need to keep children safer online will be as second nature as the need to ensure they eat healthily, get a good education or buckle up in the back of a car.”
In ensuring the implementation of safety measures parallel to those we see in the offline world, the Code marks an acknowledgement of the extent to which digitalisation has transformed everyday routine and procedure and the collaborative approach that must be taken to protect the most vulnerable from its potential harms. The Code is accompanied by a wave of tech innovation that is underpinned by internationally recognised digital identity standards, such as TrustElevate. These privacy-oriented tech solutions not only facilitate but also incentivise the building of products and services designed with children in mind.
Written by Aebha Curtis