This article comes from the WeChat public account: Tencent Research Institute (ID: cyberlawrc) , author: Shan Cai Xiong, Yuan Jun, the original title: “protecting children’s online Privacy and security – network services Code of practice-age design”, from the head of FIG. : Visual China

On January 22, 2020, the Office of the British Information Commissioner, a specialized agency for data privacy protection in the UK, (ICO) released the “Network Service Age Design Practice Code (hereinafter referred to as “Code of Practice”) The final version of ( Age appropriate design: a code of practice for online services) , designed to protect children from the privacy and security harm that online services may bring, looking forward to creating a safer online environment for children ’s learning, exploration and entertainment .

The Code of Practice starts with the data protection regulations of the European Union and the United Kingdom. It introduces the roles played by network service providers and parent guardians. It focuses on stipulating 15 design standards for children ’s age-appropriate network services, with the intention of providing online privacy Provide guidance on safety.

One


Background of the “Code of Practice”: Provide Internet Services for Children of Age in the Wave of Data Protection

Data has become an essential part of children ’s daily lives. From childWhen a child opens the application, plays a game, or browses a website, the data is not collected all the time. Although the digital economy can bring many benefits to children, it has not yet created a safe space for learning, exploration and entertainment.

As a result of the wave of data protection, the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (Data Protection Act 2018) clarifies the necessity of formulating a code of practice for school-age children for network service providers, of which Article 123 of the Data Protection Act Clearly stipulated,

“The British Information Commissioner should formulate a code of practice to provide standard guidelines for online service providers to provide more secure online services for children of the right age.”

Two

Legal source of the Code of Practice: basic principles in the Convention on the Rights of the Child

The Code of Practice incorporates the basic principles of the United Nations Convention on the Rights of the Child concerning the protection of children ’s rights, including: freedom of speech; freedom of thought and belief; freedom of association and assembly; privacy from unlawful interference; ; Carry out age-appropriate entertainment; protect from economic, sexual, and other forms of violations.

Three

The core subjects of the Code of Practice: Information service providers and parents (Guardian)

The “Code of Practice” is mainly applicable to the British information society service providers (Information Society Service, ISS) . Not only the information society service providers that provide services to children, but also the providers of online products and services provided on their platforms, such as application APPs, programs, websites, games or communitiesNetworked toys or equipment, etc.

The Code of Practice also pays particular attention to the important role played by parents (Guardian) . Not only require network service providers to process children’s data with age-appropriate standards and consider the best interests of children, but also fully support parents or guardians to make the best choices that are most beneficial to children’s interests under appropriate circumstances and create a safe learning, exploration and entertainment space .

Four

The main content of the “Code of Practice”: 15 design standards for children’s age-appropriate network services

1. Maximize the interests of children. The basic connotation is that for children ’s possible online services, maximizing children ’s interests should be the primary standard in design and development. When dealing with children’s data, you need to consider how to avoid the erosion of bad content, promote physical and mental health, encourage self-awareness, and care for the disabled.

2. Data protection impact assessment. Based on children ’s different ages, abilities and development needs to conduct data impact assessments to mitigate the risks that data processing may pose to related children ’s rights and freedoms, the following steps can be taken:

  • Identify assessment needs

  • Describe the process

  • Consult children and parents

  • Evaluation of necessary principles and proportionality principles

  • Identify and evaluate the risks arising from the processing process

  • Identify risk reduction measures

  • Signature, record and integration

    3. Appropriate age. Use a risk-based approach to identify the user ’s age and ensure that the standards in the Code of Practice apply to children ’s users. Either establish a corresponding level of protection measures specifically for children ’s rights and freedoms in data processing, or apply the standards in this Code of Practice to all users.

    This code of practice adopts the following age range and development stage as guidelines to provide a reference for the development of age-appropriate applications.

    • 0-5 years old: preschool age

    • 6-9 years old: early school age

    • 10-12 years old: transition period

    • 13-15 years old: early youth

    • 16-17 years old: youth

      While referring to the above age range and development stage, the following technical measures can be considered.

      • Self-declaration: users simply describe their age


      • Artificial intelligence: use artificial intelligence algorithms to accurately predict age


      • Third-party age verification: use third-party services to verify age


      • Account holder confirmation: verify the age from the account owner, that is, the adult


      • Authority identifier: set a link to jump to the official identity authentication page, such as filling in passport information

        4. Transparency requirements. Privacy clauses provided to users, as well as other public terms, policies and community standards, should be concise in style, clear in language and suitable for children to read and understand, and should be promptly reminded under specific circumstances in a timely manner.

        For children of different ages, multiple choices should be provided.

        Age range


        Recommendation



        0-5 years old: preschool age


        Provide parents with complete information suitable for reading according to Article 13 & Article 14 of GDPR

        Provide audio and video to children to inform the prohibited and allowed behaviors



        6-9 years old: early school age


        Provide parents with complete information suitable for reading according to Article 13 & Article 14 of GDPR

        Provide cartoons, audio and video to children, briefly explain the privacy concepts involved in the service, default settings, who can see and how to operate



        10-12 years old: transition period


        Provide parents with complete information suitable for reading according to Article 13 & Article 14 of GDPR

        Provide children with written or audio and video, simple and detailed information options. When trying to change the default settings, inform the consequences via video and audio



        13-15 years old: early youth


        Provide parents with complete information suitable for reading according to Article 13 & Article 14 of GDPR

        Provide written or audio and video to teenagers with simple and detailed information options. When trying to change the default settings, inform the consequences via video and audio.

        Tell them to ask their parents for help



        16-17 years old: adolescence


        Provide parents with complete information suitable for reading

        Provide youth with written or audio and video, simple and detailed information options. When you try to change the default settings, you can provide written, video, and audio to inform them of the risks and consequences, and prompts can be inquired from adults or other trusted sources of information




        5. Data misuse. Do not use children ’s personal data in a way that has proven to be detrimental to the rights of the child, or in a manner that violates industry codes of conduct, other regulatory requirements, or government recommendations.

        6. Policies and community standards. Update disclosure terms, policies and community standards in a timely manner, including but not limited to privacy policies, age restrictions, rules of conduct and content policies.

        7. The default setting. The default settings for privacy protection must be maintained at a high level unless there are other good reasons for different default settings.

        8. Minimize the data. If a child intentionally and actively obtains online services, only the minimum personal data required to provide the services will be collected and retained. To provide children with alternative service content, it is necessary to distinguish between core functions and additional functions.

        9. Data sharing. Considering the maximization of children ’s interests, children ’s data should not be disclosed unless there are sufficient reasons.

        10. Geographical location data. The geolocation option is turned off by default, unless there are good reasons to prove that the geolocation is turned on by default to take into account the maximization of children ’s interests. When location tracking is active, children should be provided with clear tips. After each session, the option of geographical location visible to others must return to the off state by default.

        11. Parental control. If the service provides parental control functions, it should provide prompt information appropriate to the age of the child. If the online service allows parents or caregivers to monitor children ’s online activities or track their location, they should be provided with clear reminders when they are being monitored.

        12. Data portrait. The data portrait option is turned off by default, unless there is a good reason to indicate that the data portrait is turned on by default to maximize children ’s interests. Only when appropriate measures are taken to protect children from any harmful effects, especially content that is detrimental to the health or rights of children, data portraits are allowed.

        13. Boost technology. Do not use booster technology (nudge technology) (1) to lure or encourage children to provide unnecessary personal data, or to weaken or turn off their privacy protection.

        14. Networked toys and equipment. A networked toy or device must contain effective tools to comply with the relevant provisions of this code of practice.

        15. Online tools. There should be obvious, easy-to-access tools to help children exercise their data protection rights and report their concerns.

        Age range


        Recommendation



        0-5 years old: preschool age


        Provide icons, audio prompts or similar functions, even the youngest children understand the meaning of “I am not happy” or “I need help”



        6-9 years old: early school age


        Provide icons, audio prompts or similar functions, even the youngest children understand the meaning of “I am not happy” or “I need help”

        Provide online tools for children and parents to use separately



        10-12 years old: transition period


        Provide icons, audio prompts or similar functions, even the youngest children understand the meaning of “I am not happy” or “I need help”

        Provide online tools for children and parents to use separately



        13-15 years old: early youth


        Provide icons, audio prompts or similar functions, even the youngest children understand the meaning of “I am not happy” or “I need help”

        Provide online tools for children and parents to use separately



        16-17 years old: adolescence


        Provide icons, audio prompts or similar functions, even the youngest children understand the meaning of “I am not happy” or “I need help”

        Provide online tools for children and parents to use separately




        Comment:

        (1) nudge technique refers to positive reinforcement and indirect suggestions as a method to influence group or individual behavior decision-making, see https: //cloud.tencent. com / developer / news / 529102

        This article comes from the WeChat public account: Tencent Research Institute (ID: cyberlawrc) , author: Shan Cai Xiong, Yuan Jun, the original title: “protecting children’s online Privacy and security – network services Code of practice-age design.”