The ICO’s Age Appropriate Design Code: Default Settings and Data Minimization
This post discusses Standards 6 and 7 of the draft Age Appropriate Design: A Code of Practice for Online Services published by the UK’s Information Commissioner’s Office’s (ICO).
Standard 6 would require “high privacy” settings by default, absent proof of a compelling reason for a different default setting. This means a child’s personal data could only be visible or accessible to other users if the child were to change the default settings to allow it. Also, by default, use of children’s personal data would be “limited to use that is essential to the provision of the service. Any optional, more intrusive, uses of personal data, including any uses designed to personalize the service have to be individually selected and activated by the child.” Likewise, any settings that allow third parties to use personal data would need to be activated by the child.
If a child were to attempt to change a privacy setting, the Code would require the provider to give the child an age-appropriate explanation and, potentially, a prompt to speak with a trusted adult. The burden would fall on the controller “to demonstrate that [it] ha[s] made it easy for a child to maintain or revert to high privacy settings if they wish to do so.”
Like the Children’s Online Privacy Protection Act (COPPA), Standard 7 of the Code would prohibit the collection of more data than needed to provide the elements of a service a child wants to use. Providers would be required to differentiate between each individual element of their online services and, for each one, consider what personal data is needed and for how long. The ICO states that providers should give children as much choice as possible over which elements of an online service they wish to use and, therefore, how much personal data to provide. For example, children should be given the choice to use a core service without the collection of personal data used to improve, enhance or personalize the user experience.
Moreover, Standard 7 would seek to avoid the collection of real-world identifiers whenever possible, instead making use of options like avatars and usernames.