The ICO has published its 15-point guide to age-appropriate design,
which is there to serve as a guide for online businesses on how they should protect children’s data rights.
If you go through the set of principles, you may end up screaming at the screen the same
thing as me — isn’t this already enshrined in GDPR? The constant references to the Regulation suggest that this isn’t just a first impression — it’s pretty much what the guide is there to do.
It seems geared towards reminding online businesses of the legal obligations they are already under. There are elements in there such as data minimisation and to considering the impact of
collecting data and not sharing it unless it’s in the child’s interest.
Then we get on to setting defaults not to geolocate children and to not profile them, unless it can be shown to be in
the child’s benefit. In fact, the first golden rule is to always put the child first.
Now, there are other bits and bobs in there about being open and transparent and explaining why parental
controls are being offered. There is even explicit guidance on avoiding “nudge” techniques to entice children to share data in return for extra features on a site.
So perhaps I’m being a
little bit harsh — there is some useful clarification in there, particularly when toy manufacturers are reminded that these rules apply to connected toys.
However, a lot of what’s in
the guide is common sense and a re-introduction to the GDPR. Don’t get me wrong, this is not a dig at the ICO. It has a job to do and it’s laying down some ground rules for those who have not yet
fully embraced their responsibility toward children.
The surprise is that the privacy watchdog has felt compelled to act when much of this is already law. Taking no more data than you
need, not tracking or profiling children by default, it’s already what companies should be doing. Being transparent about this is, again, what businesses are required to do.
Sure, the guidance
places the onus on sites and apps in identifying or somehow having a very good guess when a child is using their service, which is useful to know — but otherwise the code reads like a reminder of
what sites should already know. GDPR happened more than a year and a half ago. It was heralded by a lengthy implementation period.
It just feels a little disconcerting that the ICO has had to
remind publishers of their legal obligation. Sure, some of the pointers are useful clarifications to make sure they get it right — but so much is a reminder that GDPR is the law, it makes you wonder
what sites and apps have been getting away with until now.