4 min read.Updated: 04 Sep 2021, 12:30 PM ISTKatie Deighton, The Wall Street Journal
New Children’s Code requires clearer explanations and promotes use of diagrams and cartoons
Websites and apps have to comply with a new set of guidelines on privacy warnings for children, a part of the U.K.’s effort to create a safer and better online environment for users under 18 years of age.
Age Appropriate Design Code, also known as the Children’s Code, requires companies that target children to comply with its 15 standards, including turning off geolocation tracking by default, or face penalties for unclear or convoluted messaging around data sharing. The measures are part of the data-protection requirements enshrined in U.K. law.
The code’s transparency standard, for instance, recommends that companies use clear and plain language in privacy agreements and provide child-friendly, “bite-sized" explanations about how they use personal data at the point that use is activated. It encourages the use of diagrams, cartoons, graphics, video and audio content—as well as games and interactive content—to explain the meanings of privacy and data policies rather than relying on written communications only.
The code also recommends that websites and apps for those who are too young to read or comprehend the concept of privacy should provide audio and video prompts telling kids not to touch or change privacy settings, or get help from an adult if they initiate such changes. Another rule forbids the use of pop-up nudges that may encourage a child to hand over more data while in the moment by using clever design—such as a large “yes" button that distracts the eye away from the corresponding “no."
The code is being implemented to protect British children, but its repercussions are expected to be further reaching. The rules, written to ensure companies abide by laws set out in the 2018 Data Protection Act, apply to both domestic and foreign companies that process personal data of children in the country, and websites and apps that aren’t explicitly designed for those under 18 but are still used by them must also comply, the commissioning body said.
Companies found to be in breach of the code may be subject to the same penalties as those that break the European General Data Protection Regulation, known as GDPR, which include fines of up to 4% of global revenue.
Several large social media companies, including Alphabet Inc.’s Google and ByteDance Ltd.’s TikTok, in the past month have made changes to their global privacy agreements and interfaces with younger users in mind, without making explicit reference to the Children’s Code.
Google last month said it would be introducing easy-to-understand reading materials for young people and their parents to improve their understanding of the search giant’s data practices. These include guides on privacy written for three age groups: ages 6-8, 9-12 and 13-17. Its YouTube platform said it would adjust its default upload setting to the most private option for users aged 13-17 and turn off autoplay by default for those users.
Facebook, which owns the apps Instagram and Messenger, said it is working with experts in the fields of online safety, child development, child safety and mental health to develop new products and features for young people, after introducing new features that discourage minors from interacting with adults they don’t know. TikTok this week announced a new feature that will prompt parents and guardians of teens to find out more about the platform’s privacy and safety settings, and help explain them to their children.
“Anything that is encouraging children and teens to better understand the cycle of use of our personal data is important, because even most adults don’t understand how all the data is used, and how much of it is collected," said Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, a Washington, D.C.-based nonprofit focused on privacy issues.
The hefty penalty and the costs associated with product redesigns to accommodate the code may deter some small businesses based outside of the U.K. from launching in the market, at least until it is clear how adherence to the code will be policed, said Tyler Newby, a privacy and cybersecurity lawyer at Fenwick & West LLP.
The code’s broad application may also push companies to rethink the use of unwieldy policy agreements for adults too, he said. It could spark a new kind of focus group: Children reading privacy agreements and noting what they can and can’t comprehend.
“Otherwise it’s a bunch of adult lawyers sitting around wondering what a kid understands," Mr. Newby said.
Rep. Kathy Castor (D., Fla.) in July submitted a bill in Congress that includes elements of the Children’s Code, in a bid to strengthen the U.S. Children’s Online Privacy Protection Act, or Coppa, which came into effect in 2000 to give parents control over what information is collected from their children online. Sens. Ed Markey (D., Mass.) and Bill Cassidy (R., La.) in May introduced a similar legislative update called the Children and Teens’ Online Privacy Protection Act.