The UK privacy regulator – the Information Commissioner’s Office (ICO) – has published the final version of its Age Appropriate Design Code of Practice for designers, developers, and operators of digital services aimed to be used by children.
The ICO requires that services provide greater protection of children’s personal data by default, stating, for instance, that location and profiling features in the service should be turned off by default. The code also prohibits using nudge techniques to lead or encourage children to provide unnecessary personal data or weaken their privacy protections.
The ICO emphasizes that the principle of data minimization is particularly important when collecting personal data of children and prohibits disclosing or sharing children’s data unless a compelling reason to do so can be demonstrated.
The ICO’s code also requires that the terms of use and privacy policy of such services be written in clear and concise language suitable for the age of the child and notify the child if the service allows for parental control.
The code is pending approval by the British Parliament and will come into effect 12 months thereafter.