Children and teenagers are a particularly attractive customer category.
Not only in the sense of a percentage of the total customer base, users but also as a group particularly vulnerable and exposed to ethically questionable practices.
The Internet has simultaneously become a sandbox, a school, and a dark alley for children, where they are offered forbidden content, and their personal information is used.
The topic of online safety for children and young people has been downplayed for years. Fortunately, an initiative appeared that resulted in extensive public consultation, legislative work, and finally, a concrete document – the AADC – Age Appropriate Design Code.
What is the significance of the new law in force in the United Kingdom, which has already become an important reference point for institutions, parliaments, and social initiatives in many countries (including the California Age Appropriate Design Code Act)? What standards have been adopted under the Age Appropriate Design Code (AADC)?
Today we will look at a document that has the potential to initiate an important, needed, and long-neglected change in the rights of children and young people.
We invite you to read on!
Children as the most vulnerable and least protected Internet users
Reading through cyclical reports, studies, and articles produced by UNICEF, such as "Investigating Risks and Opportunities for Children in a Digital World" and "Contextualizing the link between adolescents' use of digital technology and their mental health: a multi-country study of time spent online and life satisfaction" raises awareness that children and teenagers are a vital part of the audience for online content.
Unfortunately, their business importance did not go hand in hand with the importance of their rights and interest until now.
Simply put, children and adolescents have not received adequate, real, and effective protection. In particular, as users of the web – customers, gamers, subscribers, and content consumers.
Children on the Internet – up to now, this has been a neglected topic. The youngest became the subject of serious public debate relatively late. But in the end, this group also attracted the attention of activists, media, and politicians.
The crux of the undertaken work, analysis, and diagnosis was creating solutions to protect their interests and well-being. While there have been many initiatives on a European scale, a significant breakthrough was the initiative of the UK's Information Commissioner's Office.
Information Commissioner's Office (ICO) – has created a very important code from the perspective of the safety and interests of children and adolescents. It sets the framework, standards, and directions for the protection of children in the online space.
Adopted on 02.09.2020 by the British Parliament, the document is primarily intended to close a loophole and better protect the personal data of minors.
From the perspective of User Experience, and design standards for web applications, mobile applications, digital products, and services, the entry into force of the new law and standard is of great importance.
This is because it sets design standards within which the interests of children and young people will have to be respected and considered an important variable. That influences the digital product's final design and the design process.
Familiarization – even if only in general – with established solutions is necessary for UX agencies, web development companies, interactive agencies, or companies that make games or toys.
So what is the AADC all about, and in what sense is it complementary to the law passed with the GDPR (General Data Protection Regulation)?
GDPR and AADC – comparison
Although the issue of protecting children's rights is present in the General Data Protection Regulation (GDPR) adopted in 2016 (we're talking about Article 35, which covers Data Protection Impact Assessment), many commentators believe it is insufficient.
This is because general provisions cannot effectively counter abuse and protect children from it in a measurable way.
The noble idea of special protection of the personal data of the youngest users of the Internet has not been expressed in a detailed, concrete way, thus permitting effective law enforcement and prevention.
Moreover, the provisions of the GDPR were too vague. They posed a significant challenge for institutions, which did not quite know how to interpret the non-specific regulations in specific situations.
The dead law did little to protect the privacy of children and young people. This gap is being filled by the British ICO, which translates the vagueness of GDPR (but also the UN Convention on the Rights of the Child) into concrete terms.
Although the already fully adopted and functioning code is only a set of recommendations and best practices, it is a groundbreaking tool.
First of all, each of the 15 ICO standards has a legal foundation in the GDPR. Thanks to such a close connection between the two documents, it will be possible to do in practice what was previously only possible in theory.
Namely, the ability to enforce compliance with the law in a specific area. For now, the new law applies to entities operating in the British market.
Both parent companies and foreign companies with representative offices and branches, providing services and offering digital products in the UK market, had until September 2021 to adapt their services and products to the new law.
However, all indications are that the standards expressed in the ICO Code will become the reference point for legislation adopted in the European Union and individual member states.
UK's and California's Age Appropriate Design Codes
Although this article primarily focuses on AADC and how it affects the United Kingdom and Europe, we must at least briefly mention California's Age Appropriate Design Code Act which will come into force on July 1, 2024.
As mentioned, the Act comes into force on July 1, 2024, and the California Privacy Protection Agency must publish appropriate regulations and guidelines by April 1, 2024, in consultation with California Children's Data Protection Working Group. The Act will permit the Attorney General to issue civil penalties of up to $2,500 per child for each unintentional violation and $7,500 for each intentional violation.
The Future of Privacy Forum (FPF) recently published a policy brief that compares the UK's and California's documents.
Some key differences include the following:
- United Kingdom's AADC is a statutory code of practice founded on GDPR, while California's AADC is a standalone legislation that will support the California Consumer Privacy Act.
- The UK's code applies to providers of online products or services that process personal data and are likely to be accessed by children. The California AADC relates to "business that provides an online service, product, or feature likely to be accessed by children and at the same time it exempts a broadband internet access service, telecommunications service, delivery or use of a physical product, and Health care providers and medical information covered by HIPAA rules.
- The UK provides additional examples and explanations regarding compliance requirements that California's legislation lacks.
- The UK derives the "best interest of the child" from the UN Convention on the Rights of the Child, while California's Act only references it in legislative findings and exemptions.
- Both codes require entities to provide high privacy default settings, but California's code doesn't explain what precisely that entails.
- UK's code provides various guidelines regarding appropriate measures to determine the users' age. In contrast, California's legislation states, "Estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers."
- Both Age Appropriate Design Codes require the Data Protection Impact Assessment. The difference is that the UK requires the assessment of rights and freedoms. In contrast, California requires the evaluation of the risk of "material detriment" and additionally states that the Data Protection Impact Assessment should be confidential regardless of any other laws, such as California Public Records Act.
This is only a concise overview of the differences between these two codes, so if you want to dive deeply into this topic, we recommend reading the policy brief mentioned above.
What is the scope of the Age Appropriate Design Code?
Which industries, in particular, must respect the 15 standards of the ICO Code?
The AADC, in particular, includes and applies to:
- Companies that design and provide web and mobile applications
- Social media platforms
- Distributors of online games
- VOD and streaming platforms
- E-learning platforms
- Manufacturers of interactive toys
- Software developers
- E-Commerce/M-Commerce
- Search engines
- Online payment providers (in particular, regarding the so-called micropayments)
- Online media
- All websites offering users other goods or services through the Internet.
In general, all manufacturers and service providers whose direct or indirect customers and clients are children or, strictly speaking, minors should comply with the new standards.
Age Appropriate Design Code also aims to promote a pattern of child-friendly solutions even if children are not the direct recipients of content, services, or products.
All signs indicate that the AADC will not be another dead law. As we can read in the article "ICO Age Appropriate Design Code Enters Into Force," organizations that fail to comply with the code will be held accountable by the ICO.
Penalties include stopping personal data processing and a fine of up to 4% of the organization's overall turnover.
You should also know that if a business entity believes that their service is unlikely to be accessed by children (and ICO provides information on such a case), then it would be best to keep some form of market research, data user behavior, internal company research as competent and reliable evidence.
Flexible and diverse child protection in the AADC
The category of minors includes a wide variety of people. A six-year-old and a fifteen-year-old, in terms of, for example, intellectual differences, are separated by a considerable gap.
Unsurprisingly, British solutions consider age an essential variable from which specific solutions should emerge.
The AADC distinguishes 5 age groups, which have been identified according to the typical course of a young person's intellectual, motor, emotional, and social development.
Solutions should be tailored to the following age groups:
- 0 to 5 years: Preliterate and Early Literacy
- 6 to 9 years: Core Primary School Years
- 10 to 12 years: Transition Years
- 13 to 15 years Early Teens
- 16 to 17 years Approaching Adulthood
At the same time, child safety, in general, should be the primary design and business premise. Maintaining a high level of privacy should be the default value every time.
In practice, this means that children's data should be collected, stored, and shared to the maximum possible degree.
The above sentences may seem to be a little hollow and general, but the code prepared by the ICO indicates various age assurance methods of verifying users' age, for example, through:
- User declaration
- Use of AI (Artificial Intelligence)
- Confirmation of age by third parties (institutions, other users)
- Functionalities that prevent fooling age verification mechanisms.
In fact, the most prominent goal of the ICO is to create standards that will result in default settings that provide children with access to digital products that do not violate their rights.
Primarily not allowing the excessive collection and use of personal data.
Minimizing the scope and depth of such practices permeates each of the 15 standards.
Even more importantly, protection will manifest already at the design level, and some of the main addressees of the ICO code are UX/UI Designers, among others.
15 standards for the protection of children's personal data according to ICO
The AADC is a set of 15 standards, norms, and recommendations that regulate the inadequacy of content, services, and products offered to children.
The document discussing the various standards, "Age appropriate design: a code of practice for online services," reads, among other things, that currently, children have too easy and unrestricted access to content, services, and products that do not take into account their age and the resulting limited ability to understand and control the consequences of the use of their personal data.
Before the introduction of the AADC in the UK, it was possible to design services that potentially put commercial interests above those of children.
With the entry into force of the new standard, this situation is set to change dramatically.
So let's take a closer look at individual standards.
1 AADC Standard – Best interests of the child
A document prepared by ICO, "Age appropriate design: a code of practice for online services," briefly describes the first standard, which states that the child's welfare must be a primary consideration when designing and developing online services that a child can access.
The legal basis for the first AADC standard is Article 3 of the United Nations Convention on the Rights of the Child (UNCRC), according to which the child's best interest is what is best for the child.
Meaning everything that is conducive to their physical, emotional, intellectual, and social development. According to the Convention, the child also has the right to privacy and the right to be free from economic exploitation.
Therefore, children should be:
- Protected from the potential commercial exploitation
- Supported in the development of views and identity
- Supported in maintaining their well-being and health
- Protected from restrictions on their freedom.
The framework of the child's best interests should include the following:
- Safety and health
- Well-being
- Good family relations
- Proper physical, mental, and emotional development.
Details regarding these problems can be found in a separate document, "Children's code: best interests framework."
2 AADC Standard – Data protection impact assessments
The premise behind the second standard reads as follows: failure to use the framework to consider the risks posed by data processing and the broader implications of its use increases the likelihood of harm.
Furthermore, in the document "Age appropriate design: a code of practice for online services Impact assessment," we can read that the implementation of this standard makes it possible to:
- Minimize risks at an early stage
- Reduce costs resulting from the need to adapt the project to the standard
- Make the standard a design routine that protects not only children but also business owners from losses (e.g., financial, image – related to reputation)
- Manifest values and responsibility
- More effectively prove their case in court.
Assessment and validation in this regard are best done by confronting the project with the guidelines contained in the document "How do we do a DPIA?"
3 AADC Standard – Age Appropriate Application
Developers and business owners are responsible for adapting the application to the age and, thus, the users' capabilities, needs, and limitations.
Different needs characterize children at various stages of development. They also require a different scope, nature, and manner of protecting their rights and freedoms.
Clear and precise determination of the age of future recipients makes it possible to tailor safeguards to the development stage.
The AADC authors describe in detail opportunities, needs, and limitations (including legal ones) in a separate annex ("Annex B: Age and developmental stages").
4 AADC Standard – Transparency
Transparency in the AADC refers to several issues. Among other things, to simply, understandably, and honestly:
- Inform users about the content while the message should be linguistically adapted to the age of the child
- Form rules and explanations.
In addition, decisions to accept rules and regulations and give consent should depend on the ability to properly understand their content and consequences.
Furthermore, as the age of users decreases, they should be expressed with the help of parents or guardians.
For more on the Transparency problem, see the article "Principle (a): Lawfulness, fairness and transparency."
5 AADC Standard – Detrimental use of data
By detrimental use of data, the authors of the AADC mean such use that negatively affects the child's physical health, mental health, and well-being, which does not comply with industry codes of conduct or other environmental recommendations and regulations.
Best practices in this regard include:
- Avoiding reinforcing engagement and dependence of children by offering benefits that are obtainable with the help of personal data.
- Avoiding suggesting a loss due to ceasing to use the service or application.
- Avoiding using functions that automate use at the expense of free choice.
- Offering the opportunity to take a break without feeling a loss.
6 AADC Standard – Policies and community standards
This standard acts as a memento as it appeals to creators, sellers, and service providers to abide by their terms and conditions, rules, privacy standards, age restrictions, limits on acceptable content, and behavior.
A reminder of this kind seems warranted since dead and unenforced law, norms are as harmful as the lack of them.
Declarative restrictions on age and data use are worthless if they are not backed up by concrete actions – such as controlling the age of users.
7 AADC Standard – Default settings
According to ICO guidelines, default privacy settings should have "high privacy."
This means that, by default, we should not:
- Collect children's personal data if it is not necessary
- Share children's personal information with an unlimited number of other users.
The default settings should:
- Do not permit the collection of data that is not necessary for the online service.
- Do not share data with third parties and institutions
- Provide necessary explanations when the user wants to change them
- Offer the ability to restore the default value.
8 AADC Standard – Data minimisation
According to the eighth standard, personal data should be collected and stored in minimal amounts, only to the extent necessary to provide services properly.
This means that collecting data that does not serve the primary purpose is not advisable.
We should add that, as in previous sections of the code, the specific provisions of the GDPR also provide the legal basis for this point.
The eighth standard also strongly emphasizes the decision-making power of children, who should be offered a wide range of choices. More importantly, data collection motivated by the desire to improve online services should not be done either.
9 AADC Standard – Data sharing
Sharing children's data (with third parties outside the organization) must be thoroughly and convincingly motivated. It should be based on the best interest of the child. The interest that would justify the transfer of personal data, for example, it can be the desire to prevent fraud and crimes (e.g., sexual).
This means that personal data should be shared rarely, to a limited extent, and only in situations where it serves the interests of children, not individuals, institutions, or organizations.
The ICO also recommends mandatory obtaining of declarations from data recipients, a commitment that children's personal data will be treated as confidential.
According to Standard 9, the extent to which the guarantees made are realistically fulfilled should also be checked.
10 AADC Standard – Geolocation
The option to track a user's location should be disabled by default. The opposite value is permissible only in exceptional situations motivated by the children's best interest. Users should be clearly and unambiguously informed if tracking is enabled.
In the case of being able to determine the physical location of a child, the matter becomes serious because there is a significant risk of exposing them to physical danger.
The availability of data regarding geolocation may also harm the child's psychological and emotional well-being.
Therefore, the ability to change these settings (on/off) should be offered as a basic feature.
The AADC makes it clear that information about the collection, storage, and sharing of location data should be provided during registration, account creation, and use of the product or digital service.
11 AADC Standard – Parental controls
Design solutions and the use of modern functionalities and technologies (such as AI) cannot always replace the role, function, and importance of the actions taken by parents themselves.
They can make use of parental control tools. The ICO Code, guided by noble yet very sober considerations, discusses the issue in all its complexity.
While parental control – by definition – is meant to serve children and safeguard their best interests, it can itself be a source of abuse. Hence, the AADC clearly recommends offering children explanations of what parental control is, its functions, and the consequences it can have for them.
It is advisable to inform children that their parents can monitor their activities. In doing so, it is worth remembering that the older the child is, the more important it is to inform them of their right to respect their privacy.
12 AADC Standard – Profiling
In the GDPR, profiling is defined as any form of automated processing of personal data. In particular, it is the use of personal data to assess, analyze, and predict the behavior, situation (e.g., economic, health), preferences, and plans of users.
According to the AADC, profiling should be an inactive function by default. It can be enabled by default as long as its use is necessary to provide essential functions or results, by law, from obligations imposed on the entity.
A service provider wishing to use profiling functions must inform users comprehensively about this fact and its consequences in a manner meeting the requirements of the transparency standard.
The purpose of restricting (not banning) profiling is to minimize the risk of children's exposure to potentially harmful content and thus reduce potential harm.
13 AADC Standard – Nudge techniques
In the most general sense, nudge techniques involve inducing and encouraging children to perform desirable actions from the perspective of the service provider, the owner of the digital business, and questionable from the user's standpoint.
Suggesting the "right," "desirable," "expected," or "profitable" behaviors and actions is as common within the design using nudge techniques as making it difficult, hiding the making of choices not preferred by the organization.
According to the ICO's interpretation and standard, techniques of this kind go against the principle of transparency, which is particularly important in the case of children. Minors with limited ability to recognize such manipulations should be particularly protected.
An approved use of nudge techniques is any situation in which a child is encouraged to choose more restrictive privacy settings. This also applies to functionalities designed to prompt children to take a break when the use time is too long and detrimental to their well-being.
Age appropriate design is, therefore, also a relatively reasonably conceived tool. A tool that makes designing for children a process in which the creation (of a website, for example), tools, and techniques used are intended to improve communication and increase the knowledge of its users.
In a nutshell, age appropriate design is meant to be relevant to young people's skills and different needs.
At the same time, it is not a matter of restrictions but of seeking solutions that equally guarantee safety and make the creation process a way to obtain convenient products.
As we can see in the example of nudge techniques, the available solutions can be used in various ways, including positive ones.
14 AADC Standard – Connected toys and devices
The second-to-last standard draws attention to the growing problem of protecting personal data collected through toys and physical devices connected to the Internet.
Devices that may violate children's rights include cameras, microphones, fitness trackers, and interactive speakers. Manufacturers of toys and devices are obligated to protect children online on their own. Placing responsibility on external entities is considered a significant violation of rights under the AACD.
Users of toys and devices must be informed at the sales offices, in the configuration process, and on packaging on how data are acquired and stored.
In particular, through information and warnings, users should be aware of situations and actions that trigger the data collection function. Even more importantly, data collection in the "standby" mode of the device should not be possible.
15 AADC Standard – Online tools
What are online tools? The age appropriate design code specifies that these are all kinds of mechanisms that make it easier for children to exercise their rights in a simpler, friendlier, and more informed way.
Examples of such tools could be functions that facilitate access to copies of personal data, complaint forms, and information about rights available in applications and software interfaces.
The protection of children's privacy should allow them to:
- Obtain help
- Express disapproval
- Get more information and explanations
- Make complaints.
It is worth remembering that the GDPR, which is also the basis for the last AACD standard, grants individuals to whom the data relate the right to:
- Access them
- Delete them
- Restrict their processing
- Object.
Age Appropriate Design Code. Summary
Even a very superficial look at the solutions adopted in the United Kingdom (the Age Appropriate Design Code is already being discussed in the press) regarding protecting children using products and services online makes one realize the importance of the change we can soon expect to see in many countries.
The adopted solutions have an excellent opportunity to become precedent-setting and are already precursor solutions, inspiring legislative action in other countries.
Their rightness is obvious. Effectiveness is a matter of time and verification policies adopted in given countries.
Nevertheless, we should already be ready for these changes. In legal, business, design, UX, and technological terms.
In the article "How to design in an age appropriate way? The Age Appropriate Design Code," we discussed how to prepare for the changes initiated by the Age Appropriate Design Code.