In the previous article, we discussed the Age Appropriate Design Code (AADC) in detail. Its various standards and the reasons, justification for their creation, and implementation.
For busy people, we've prepared a quick summary. Namely:
The Age Appropriate Design Code (AADC) prepared by the British Information Commissioner's Office is a collection of 15 standards, interconnected principles that are legally grounded in the provisions of the GDPR.
The AADC resulted from the need to counteract the abuse and take care of the safety of young people. It aims to control and considerably limit the use of minors' personal data.
The primary idea behind AADC is the desire to protect the rights of children and adolescents (minors in general) by minimizing the personal data that digital product manufacturers and service providers collect, process, and share.
The AADC (Age Appropriate Design) is a detailing of the provisions present in the General Data Protection Regulation (GDPR), the European regulation.
In this article, we'll focus on the most practical issues, namely the impact of new legislation on the design process. We'll talk about how business owners should prepare for changes that — and everything points to this — will soon become a universal standard.
So, if you're curious about what impact the new regulations have and will have and how to prepare for their popularization, be sure to read this article.
We invite you to read on!
The significance of the AADC
September 2, 2021, after a one-year transition period, in the United Kingdom, a new law has taken effect, which impacted the following fields:
- Design (UX)
The Information Commissioner's Office (ICO) has the right to control organizations that operate on the Internet, in the British market, and whose customers, users are or can be children.
The AADC is an official tool and a collection of interpretive guidelines which allow ICO to impose restrictions(e.g., prohibition of collection of personal data) or severe fines on companies.
In other words, failure to comply with new standards can cost a company not only a loss of an essential tool for collecting and maintaining customers but also financial losses and a loss of reputation.
The issue of using children's personal data is pretty sensitive. By not meeting the requirements included in the AACD, it's very easy to lose a company's good name.
Because it's problematic to convincingly argue against the idea of minimization of the number of collected data, their transparency, or limiting its sharing with individuals, institutions, and third-party organizations.
It's hard to prove that a 5-year-old or 10-year-old is fully aware of consent to processing personal data or understands the broad consequences of tracking their activities or location.
It's difficult to argue that children's protection policies shouldn't be adapted to their age, cognitive capabilities, and awareness of threats and dangers.
It's challenging to effectively convince people that collecting personal data motivated by the desire to improve experiences, enhance provided services or personalize an offer should be allowed as a default option that doesn't require the consent of a parent or legal guardian.
Beware! After the AADC came into effect, companies that operate in the British market need to obtain consent from parents or legal guardians if the user is less than 13 years old. Older children will be able to give such consent on their own.
It's hard not to actively support (through adaptation to the code's requirements) the children's right to freedom, unrestricted access to information, or protection from economic and sexual exploitation.
It'll be difficult to justify unethical or ethically ambiguous marketing and advertising practices that persuade children who are susceptible to suggestion, influence, and manipulation to buy or to continue using a product.
The financial risk is perhaps the least severe risk a company that doesn't comply with these regulations for various reasons is willing to incur.
The damage to the brand's image can be far more detrimental. A reputation of a company that doesn't care about children's rights and welfare can be very costly.
So, to avoid these losses, and it can be assumed that the label "child-friendly" will become something to be proud of and will be an emblem that will differentiate companies in the market, it's essential to prepare to meet these standards appropriately.
How to design in an age appropriate way?
Of course, asking about the extent of child protection in the Polish market is fair because, as of now, Polish legislators still need to introduce adequate and similar solutions that would support the creation of child-friendly products and services.
Both to the youngest and those more capable of defending themselves against the actions of unethical companies.
Nonetheless, in general, British standards have a big chance of becoming model standards.
Hence, adapting an organization to new standards and creating minor-friendly products doesn't only refer to companies operating in the British market.
Being "a child-friendly company" can also be a differentiator in the Polish market because of its business, strategic, commercial, and image significance related to User Experience.
It can prompt the creation of friendly functionalities, easy-to-understand communication, popularization of knowledge, and use of devices adapted to the capabilities of different audiences. It can support the need to make the Internet a space free of manipulation and UX design that uses intellectual advantage.
After all, the comfort of the youngest users of digital products and services is the essence of UX. The matter is serious because, as you can read on the Age Check Certification Schemes website, "56% of parents are concerned about how much time their child spends online. 72% of parents admit that recent Covid lockdowns have led to a surge in their child's screen time".
That's why these kinds of solutions in the current situation are necessary for various ethical and social reasons. The available applications should serve to develop and not harm the interests of children.
The abovecited ACCS website is a handy diagnostic tool because it offers a collection of guidelines, advice, recommendations, and suggestions for optimizing a digital product in the majority of the most popular industries where the problem of abuse of children's rights is particularly critical.
In general, authors affiliated with ACCS suggest performing 5 activities, namely:
- Identify your audience — (Know Your Customer approach)
- Make Child-friendly privacy disclosures
- Switch off optional data collection/sharing settings
- Use Certification schemes
- Use Data Protection Impact Assessment (DPIA) Template.
Identifying the audience is a technological challenge and a problem requiring special verifying tools. Hence ACCS suggests using services provided by specialized companies, a list of which you can find here.
That's why it's recommended to pay special attention to the language and adapt the message (e.g., with infographics) to the capabilities and needs of children.
ACCS also suggests taking advantage of its audit service, through which an organization can diagnose all problems that come from the need to adapt to 15 AADC standards.
In the case of services and products under development, it's suggested to include AADC requirements as a default, a crucial part of design thinking related to security and User Experience.
It's also worth considering actions that a company may perform by itself. These primarily include:
- Establishing, categorizing, and prioritizing data that a company currently collects
- Switching off geolocation functions
- Withdrawing from ethically questionable practices (e.g., dark patterns, nudge techniques)
- Setting a high level of privacy as the default.
It's definitely a good solution for companies whose customers, users, or subscribers are minors to use a wide range of services offered by Age Check Certification Schemes.
ACCS provides the following:
- Checking the declaration of conformity with PAS 1296:2018 (a standard referring to problems with privacy, security, usability, availability, and data protection. The standard was developed by the British Standards Institute and Digital Policy Alliance)
- Age Estimation, Age Determination, and Age Categorisation systems
- Age Check Penetration Testing
- Age Check Policy Evaluation
- Age Check Quality Evaluation
- Age Check Technical Evaluation
- Subject Behaviors
- Presentation Attack Detection
- Detection Device Analysis
- Social Proofing verification
- Parental Consent testing
- Use of artificial intelligence
- Age Tokens & Pre-Purchase Age ID.
Data Protection Impact Assessment Template
The abovementioned template is available here. It allows an organization to become self-aware regarding personal data protection, including children's data.
What is DPIA? Data Protection Impact Assessment (DPIA) is a process designed to systematically analyze, identify, and minimize the risk related to data protection. Meeting these requirements is essential because it means compliance with the British law determined in GDPR.
DPIA allows a company to:
- Discover and describe the goals, scope, context, and character of collected and processed data
- Estimate the need to collect and process them
- Learn about the proportionality of necessary data and those that have lower priority and meaning from the perspective of providing services
- Identify threats
- Implement countermeasures.
DPIA should be treated not only as a tool but also as a process in which it's possible to distinguish 7 essential stages in which the organization:
- Determines the need for DPIA
- Describes ways of processing personal data
- Defines their capabilities in terms of the correct estimation and considers the ability to use services of external companies
- Assess the need and proportionality
- Identifies and evaluates risks
- Discovers measures to mitigate risks
- Documents results.
While using the DPIA template, evaluating the level of risk, probability, and possible effects and influence of used solutions on users is necessary.
The process of evaluation, which resulted in the detection of high risks, should lead to immediate action and result in obtaining the appropriate certification.
All employees of an organization should be involved in the process of adapting services or digital products to the standards of AADC, regardless of the scope of their competencies or position within a company. The basis for verification of compliance should always be a document.
Estimation of compliance with the DPIA template is recommended for all companies.
With that said, it should primarily be used when an organization:
- Processes data on a large scale
- Uses profiling
- Processes biometric and genetic data
- Uses data from various sources
- Collects data on localization and behavior
- Processes data for marketing purposes
- Processes personal data that can result in a risk of physical harm.
It's worth remembering that according to guidelines in the article "Data protection impact assessments," estimating compliance with the help of the DPIA template should start at an early stage of a project, before the start of collecting, processing, and sharing data.
The Age Appropriate Design Code. Summary
- The Age Appropriate Design Code (AADC) prepared by British Information Commissioner's Office is a collection of 15 standards, interconnected principles that are legally grounded in the provisions of the GDPR.
- The protection of children's privacy is its primary idea. Simultaneously, age appropriate design, designing digital products or services for children, along with the new British legislation, opens a new era for UX and UI Design.
- This protection is primarily achieved by minimizing the personal data that digital product manufacturers and service providers collect, process, and share.
- The Information Commissioner's Office (ICO) has the right to control organizations that operate on the Internet, in the British market, and whose customers, users are or can be children.
- Age Appropriate Design Code is an official tool and collection of interpretive guidelines that will enable ICO to impose restrictions or fees on companies.
- Obtaining a certificate of compliance with the AADC isn't only a legal matter but also a strategic and image one.
- Not meeting standards and not being a child-friendly company makes it easy to harm a company's reputation.
- From September 2021, companies operating in the British market must obtain consent from parents or legal guardians if the user is under 13 years old.
- Older children will be able to give such consent on their own.
- In general, British standards have a big chance of becoming model standards. Hence, Polish digital business owners should also consider adapting to the new standards.
- ACCS suggests performing 5 actions: identify your audience, make child-friendly privacy disclosures, use certification schemes, and use a data protection impact assessment template.
- Identification of an audience is technologically challenging. ACCS suggests using the services of specialized companies.
- In the case of services and products under development, it's suggested to include AADC requirements as a default, a crucial part of design thinking related to security and User Experience.
- For companies whose customers, users, or subscribers are minors, it's recommended to use the services offered by Age Check Certification Schemes.
- The DPIA template is a tool and diagnostic process.
- DPIA allows organizations to discover and describe the goals, scope, context, and character of collected and processed data. It also enables them to estimate the need for their collection and processing.
- While using the DPIA template, evaluating the level of risk, probability, and possible effects and influence of used solutions on users is necessary.
- The estimation of compliance with the DPIA template should begin at an early stage of a project.
- The Age Appropriate Design also influences the design process. It's worth using it before collecting, processing, and sharing data. The AADC should be a part of the design process from an early stage of digital product development.
- Age Appropriate Design has a chance to become a canonical approach to User Experience.