ICO Age Appropriate Design

The UK's data protection censors at the Information Commissioner's Office ICO have generated a disgracefully onerous red tape nightmare called the Age Appropriate Design Code that requires any internet service that provides any sort of grown up content to evaluate the age of all users so that under 18s can be protected from handing over sensitive ID data. Of course the age checking usually requires all users to hand over lots of sensitive and dangerous ID data to any website that asks.

Now the ICO has decided to make these requirements of porn sites given that they are often accessed by under 18s. ICO writes:

Next steps

We will continue to evolve our approach, listening to others to ensure the code is having the maximum impact.

For example, we have seen an increasing amount of research (from the NSPCC, 5Rights, Microsoft and British Board of Film Classification), that children are likely to be accessing adult-only services and that these pose data protection harms, with children losing control of their data or being manipulated to give more data, in addition to content harms. We have therefore revised our position to clarify that adult-only services are in scope of the Children's code if they are likely to be accessed by children.

As well as engaging with adult-only services directly to ensure they conform with the code, we will also be working closely with Ofcom and the Department for Digital, Culture, Media and Sport (DCMS) to establish how the code works in practice in relation to adult-only services and what they should expect. This work is continuing to drive the improvements necessary to provide a better internet for children.

The ICO issued the code on 12 August 2020 and it will come into force on 2 September 2020 with a 12 month transition period.

Information Commissioner Elizabeth Denham writes:

Data sits at the heart of the digital services children use every day. From the moment a young person opens an app, plays a game or loads a website, data begins to be gathered. Who's using the service? How are they using it? How frequently? Where from? On what device?

That information may then inform techniques used to persuade young people to spend more time using services, to shape the content they are encouraged to engage with, and to tailor the advertisements they see.

For all the benefits the digital economy can offer children, we are not currently creating a safe space for them to learn, explore and play.

This statutory code of practice looks to change that, not by seeking to protect children from the digital world, but by protecting them within it.

This code is necessary.

This code will lead to changes that will help empower both adults and children.

One in five UK internet users are children, but they are using an internet that was not designed for them. In our own research conducted to inform the direction of the code, we heard children describing data practices as nosy, rude and a bit freaky.

Our recent national survey into people's biggest data protection concerns ranked children's privacy second only to cyber security. This mirrors similar sentiments in research by Ofcom and the London School of Economics.

This code will lead to changes in practices that other countries are considering too.

It is rooted in the United Nations Convention on the Rights of the Child (UNCRC) that recognises the special safeguards children need in all aspects of their life. Data protection law at the European level reflects this and provides its own additional safeguards for children.

The code is the first of its kind, but it reflects the global direction of travel with similar reform being considered in the USA, Europe and globally by the Organisation for Economic Co-operation and Development (OECD).

This code will lead to changes that UK Parliament wants.

Parliament and government ensured UK data protection laws will truly transform the way we look after children online by requiring my office to introduce this statutory code of practice.

The code delivers on that mandate and requires information society services to put the best interests of the child first when they are designing and developing apps, games, connected toys and websites that are likely to be accessed by them.

This code is achievable.

The code is not a new law but it sets standards and explains how the General Data Protection Regulation applies in the context of children using digital services. It follows a thorough consultation process that included speaking with parents, children, schools, children's campaign groups, developers, tech and gaming companies and online service providers.

Such conversations helped shape our code into effective, proportionate and achievable provisions.

Organisations should conform to the code and demonstrate that their services use children's data fairly and in compliance with data protection law.

The code is a set of 15 flexible standards 203 they do not ban or specifically prescribe 203 that provides built-in protection to allow children to explore, learn and play online by ensuring that the best interests of the child are the primary consideration when designing and developing online services.

Settings must be high privacy by default (unless there's a compelling reason not to); only the minimum amount of personal data should be collected and retained; children's data should not usually be shared; geolocation services should be switched off by default. Nudge techniques should not be used to encourage children to provide unnecessary personal data, weaken or turn off their privacy settings. The code also addresses issues of parental control and profiling.

This code will make a difference.

Developers and those in the digital sector must act. We have allowed the maximum transition period of 12 months and will continue working with the industry.

We want coders, UX designers and system engineers to engage with these standards in their day-to-day to work and we're setting up a package of support to help.

But the next step must be a period of action and preparation. I believe companies will want to conform with the standards because they will want to demonstrate their commitment to always acting in the best interests of the child. Those companies that do not make the required changes risk regulatory action.

What's more, they risk being left behind by those organisations that are keen to conform.

A generation from now, I believe we will look back and find it peculiar that online services weren't always designed with children in mind.

When my grandchildren are grown and have children of their own, the need to keep children safer online will be as second nature as the need to ensure they eat healthily, get a good education or buckle up in the back of a car.

And while our code will never replace parental control and guidance, it will help people have greater confidence that their children can safely learn, explore and play online.

There is no doubt that change is needed. The code is an important and significant part of that change.

News websites will have to ask readers to verify their age or comply with a new 15-point code from the Information Commissioner's Office (ICO) designed to protect children's online data, ICO has confirmed.

Press campaign groups were hoping news websites would be exempt from the new Age Appropriate Design Code so protecting their vital digital advertising revenues which are currently enhanced by extensive profiled advertising.

Applying the code as standard will mean websites putting privacy settings to high and turning off default data profiling. If they want to continue enjoying revenues from behavioural advertising they will need to get adult readers to verify their age.

In its 2019 draft ICO had previously said such measures must be robust and that simply asking readers to declare their age would not be enough.But it has now confirmed to Press Gazette that for news websites that adhere to an editorial code, such self-declaration measures are likely to be sufficient.

This could mean news websites asking readers to enter their date of birth or tick a box confirming they are over 18. An ICO spokesperson said sites using these methods might also want to consider some low level technical measures to discourage false declarations of age, but anything more privacy intrusive is unlikely to be appropriate..

But Society of Editors executive director Ian Murray predicted the new demands may prove unpopular even at the simplest level. Asking visitors to confirm their age [and hence submit to snooping and profiling] -- even a simple yes or no tick box -- could be a barrier to readers.

The ICO has said it will work with the news media industry over a 12-month transition period to enable proportionate and practical measures to be put in place for either scenario.

In fact ICO produced a separate document alongside the code to explain how it could impact news media, which it said would be allowed to apply the code in a risk-based and proportionate way.

The Information Commissioner's Office (ICO) has just published its Age Appropriate Design Code:

The draft was published last year and was opened to a public consultation which came down heavily against ICO's demands that website users should be age verified so that the websites could tailor data protection to the age of the user.

Well in this final release ICO has backed off from requiring age verification for everything, and instead suggested something less onerous called age 'assurance'. The idea seems to be that age can be ascertained from behaviour, eg if a YouTube user watches Peppa Pig all day then one can assume that they are of primary school age.

However this does seem lead to a loads of contradictions, eg age can be assessed by profiling users behaviour on the site, but the site isn't allowed to profile people until they are old enough to agree to this. The ICO recognises this contradiction but doesn't really help much with a solution in practice.

The ICO defines the code as only applying to sites likely to be accessed by children (ie websites appealing to all ages are considered caught up by the code even though they are not specifically for children.

On a wider point the code will be very challenging to monetisation methods for general websites. The code requires website to default to no profiling, no geo-location, no in-game sales etc. It assumes that adults will identify themselves and so enable all these things to happen. However it may well be that adults will quite like this default setting and end up not opting for more, leaving the websites without income.

Note that these rules are in the UK interpretation of GDPR law and are not actually in the European directive. So they are covered by statute, but only in the UK. European competitors have no equivalent requirements.

The ICO press release reads:

Today the Information Commissioner's Office has published its final Age Appropriate Design Code -- a set of 15 standards that online services should meet to protect children's privacy.

The code sets out the standards expected of those responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services. It covers services likely to be accessed by children and which process their data.

The code will require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website.

That means privacy settings should be set to high by default and nudge techniques should not be used to encourage children to weaken their settings. Location settings that allow the world to see where a child is, should also be switched off by default. Data collection and sharing should be minimised and profiling that can allow children to be served up targeted content should be switched off by default too.

Elizabeth Denham, Information Commissioner, said:

"Personal data often drives the content that our children are exposed to -- what they like, what they search for, when they log on and off and even how they are feeling.

"In an age when children learn how to use an iPad before they ride a bike, it is right that organisations designing and developing online services do so with the best interests of children in mind. Children's privacy must not be traded in the chase for profit."

The code says that the best interests of the child should be a primary consideration when designing and developing online services. And it gives practical guidance on data protection safeguards that ensure online services are appropriate for use by children.

Denham said:

"One in five internet users in the UK is a child, but they are using an internet that was not designed for them.

"There are laws to protect children in the real world -- film ratings, car seats, age restrictions on drinking and smoking. We need our laws to protect children in the digital world too.

"In a generation from now, we will look back and find it astonishing that online services weren't always designed with children in mind."

The standards of the code are rooted in the General Data Protection Regulation (GDPR) and the code was introduced by the Data Protection Act 2018. The ICO submitted the code to the Secretary of State in November and it must complete a statutory process before it is laid in Parliament for approval. After that, organisations will have 12 months to update their practices before the code comes into full effect. The ICO expects this to be by autumn 2021.

This version of the code is the result of wide-ranging consultation and engagement.

The ICO received 450 responses to its initial consultation in April 2019 and followed up with dozens of meetings with individual organisations, trade bodies, industry and sector representatives, and campaigners.

As a result, and in addition to the code itself, the ICO is preparing a significant package of support for organisations.

The code is the first of its kind, but it reflects the global direction of travel with similar reform being considered in the USA, Europe and globally by the Organisation for Economic Co-operation and Development (OECD).

Update: The legals

23rd January 2020. See article from techcrunch.com

Schedule

The code now has to be laid before parliament for approval for a period of 40 sitting days -- with the ICO saying it will come into force 21 days after that, assuming no objections. Then there's a further 12 month transition period after it comes into force.

Obligation or codes of practice?

Neil Brown, an Internet, telecoms and tech lawyer at Decoded Legal explained:

This is not, and will not be, 'law'. It is just a code of practice. It shows the direction of the ICO's thinking, and its expectations, and the ICO has to have regard to it when it takes enforcement action but it's not something with which an organisation needs to comply as such. They need to comply with the law, which is the GDPR [General Data Protection Regulation] and the DPA [Data Protection Act] 2018.

Right now, online services should be working out how to comply with the GDPR, the ePrivacy rules, and any other applicable laws. The obligation to comply with those laws does not change because of today's code of practice. Rather, the code of practice shows the ICO's thinking on what compliance might look like (and, possibly, goldplates some of the requirements of the law too).

Comment: ICO pushes ahead with age gates

23rd January 2020. See article from openrightsgroup.org

The ICO's Age Appropriate Design Code released today includes changes which lessen the risk of widespread age gates, but retains strong incentives towards greater age gating of content.

Over 280 ORG supporters wrote to the ICO about the previous draft code, to express concerns with compulsory age checks for websites, which could lead to restrictions on content.

Under the code, companies must establish the age of users, or restrict their use of data. ORG is concerned that this will mean that adults only access websites when age verified creating severe restrictions on access to information.

The ICO's changes to the Code in response to ORG's concerns suggest that different strategies to establish age may be used, attempting to reduce the risk of forcing compulsory age verification of users.

However, the ICO has not published any assessment to understand whether these strategies are practical or what their actual impact would be.

The Code could easily lead to Age Verification through the backdoor as it creates the threat of fines if sites have not established the age of their users.

While the Code has many useful ideas and important protections for children, this should not come at the cost of pushing all websites to undergo age verification of users. Age Verification could extend through social media, games and news publications.

Jim Killock, Executive Director of Open Rights Group said:

The ICO has made some useful changes to their code, which make it clear that age verification is not the only method to determine age.

However, the ICO don't know how their code will change adults access to content in practice. The new code published today does not include an Impact Assessment. Parliament must produce one and assess implications for free expression before agreeing to the code.

Age Verification demands could become a barrier to adults reaching legal content, including news, opinion and social media. This would severely impact free expression.

The public and Parliament deserve a thorough discussion of the implications, rather than sneaking in a change via parliamentary rubber stamping with potentially huge implications for the way we access Internet content.

For some bizarre reason the ICO seems to have been given powers to make wide ranging internet censorship law on the fly without needing it to be considered by parliament. And with spectacular incompetence, they have come up with a child safety plan to require nearly every website in Britain to implement strict age verification. Baldric would have been proud, it is more or less an internet equivalent of making children safe on the roads by banning all cars.

A trade association for news organisations, News Media Association, summed up the idea in a consultation response saying:

ICO's Age Appropriate Code Could Wreak Havoc On News Media 

Unless amended, the draft code published for consultation by the ICO would undermine the news media industry, its journalism and business innovation online. The ICO draft code would require commercial news media publishers to choose between their online news services being devoid of audience or stripped of advertising, with even editorial content subject to ICO judgment and sanction, irrespective of compliance with general law and codes upheld by the courts and relevant regulators.

The NMA strongly objects to the ICO's startling extension of its regulatory remit, the proposed scope of the draft code, including its express application to news websites, its application of the proposed standards to all users in the absence of robust age verification to distinguish adults from under 18-year olds and its restrictions on profiling. The NMA considers that news media publishers and their services should be excluded from scope of the proposed draft Code.

Attracting and retaining audience on news websites, digital editions and online service, fostering informed reader relationships, are all vital to the ever evolving development of successful newsbrands and their services, their advertising revenues and their development of subscription or other payment or contribution models, which fund and sustain the independent press and its journalism.

There is surely no justification for the ICO to attempt by way of a statutory age appropriate design code, to impose access restrictions fettering adults (and children's) ability to receive and impart information, or in effect impose 'pre watershed' broadcast controls upon the content of all currently publicly available, free to use, national, regional and local news websites, already compliant with the general law and editorial and advertising codes of practice upheld by IPSO and the ASA.

In practice, the draft Code would undermine commercial news media publishers' business models, as audience and advertising would disappear. Adults will be deterred from visiting newspaper websites if they first have to provide age verification details. Traffic and audience will also be reduced if social media and other third parties were deterred from distributing or promoting or linking titles' lawful, code compliant, content for fear of being accused of promoting content detrimental to some age group in contravention of the Code. Audience measurement would be difficult. It would devastate advertising, since effective relevant personalised advertising will be rendered impossible, and so destroy the vital commercial revenues which actually fund the independent media, its trusted journalism and enable it to innovate and evolve to serve the ever-changing needs of its audience.

The draft Code's impact would be hugely damaging to the news industry and wholly counter to the Government's policy on sustaining high quality, trusted journalism at local, regional, national and international levels.

Newspapers online content, editorial and advertising practices do not present any danger to children. The ICO has not raised with the industry any evidence of harm, necessitating such drastic restrictions, caused by reading news or service of advertisements where these are compliant with the law and the standards set by specialist media regulators.

The Information Commissioner's Office has a 'cunning plan'

Of course the News Media Association is making a strong case for its own exclusion from the ICO's 'cunning plan', but the idea is equally devastating for websites from any other internet sector.

Information Commissioner Elizabeth Denham was called to give evidence to Parliament's DCMS Select Committee this week on related matters, and she spoke of a clearly negative feedback to her age verification idea.

Her sidekick backtracked a little, saying that the ICO did not mean Age Verification via handing over passport details, more like one of those schemes where AI guesses age by scanning what sort of thing the person has been posting on social media. (Which of course requires a massive grab of data that should be best kept private, especially for children). The outcome seems to be a dictate to the internet industry to 'innovate' and find a solution to age verification that does not require the mass hand over of private data (you know like what the data protection laws are supposed to be protecting). The ICO put a time limit on this innovation demand of about 12 months.

In the meantime the ICO has told the news industry that age verification idea won't apply to them, presumably because they can kick up a hell of stink about the ICO in their mass market newspapers. Denham said:

We want to encourage children to find out about the world, we want children to access news sites.

So the concern about the impact of the code on media and editorial comment and journalism I think is unfounded. We don't think there will be an impact on news media sites. They are already regulated and we are not a media regulator.

She did speak any similar reassuring words to any other sector of the internet industry who are likely to be equally devastated by the ICO's 'cunning plan'.

Elizabeth Denham, Information Commissioner Information Commissioner's Office,

Dear Commissioner Denham,

Re: The Draft Age Appropriate Design Code for Online Services

We write to you as civil society organisations who work to promote human rights, both offline and online. As such, we are taking a keen interest in the ICO's Age Appropriate Design Code. We are also engaging with the Government in its White Paper on Online Harms, and note the connection between these initiatives.

Whilst we recognise and support the ICO's aims of protecting and upholding children's rights online, we have severe concerns that as currently drafted the Code will not achieve these objectives. There is a real risk that implementation of the Code will result in widespread age verification across websites, apps and other online services, which will lead to increased data profiling of both children and adults, and restrictions on their freedom of expression and access to information.

The ICO contends that age verification is not a silver bullet for compliance with the Code, but it is difficult to conceive how online service providers could realistically fulfil the requirement to be age-appropriate without implementing some form of onboarding age verification process. The practical impact of the Code as it stands is that either all users will have to access online services via a sorting age-gate or adult users will have to access the lowest common denominator version of services with an option to age-gate up. This creates a de facto compulsory requirement for age-verification, which in turn puts in place a de facto restriction for both children and adults on access to online content.

Requiring all adults to verify they are over 18 in order to access everyday online services is a disproportionate response to the aim of protecting children online and violates fundamental rights. It carries significant risks of tracking, data breach and fraud. It creates digital exclusion for individuals unable to meet requirements to show formal identification documents. Where age-gating also applies to under-18s, this violation and exclusion is magnified. It will put an onerous burden on small-to-medium enterprises, which will ultimately entrench the market dominance of large tech companies and lessen choice and agency for both children and adults -- this outcome would be the antithesis of encouraging diversity and innovation.

In its response to the June 2018 Call for Views on the Code, the ICO recognised that there are complexities surrounding age verification, yet the draft Code text fails to engage with any of these. It would be a poor outcome for fundamental rights and a poor message to children about the intrinsic value of these for all if children's safeguarding was to come at the expense of free expression and equal privacy protection for adults, including adults in vulnerable positions for whom such protections have particular importance.

Mass age-gating will not solve the issues the ICO wishes to address with the Code and will instead create further problems. We urge you to drop this dangerous idea.

Yours sincerely,

Open Rights Group
Index on Censorship
Article19
Big Brother Watch
Global Partners Digital

This is so wrong on so many levels. Britain would undergo a mass tantrum.

How are parents supposed to entertain their kids if they can't spend all day on YouTube?

And what about all the privacy implications of letting social media companies have complete identity details of their users. It will be like Cambridge Analytica on speed.

Jeremy Hunt wrote to the social media companies:

Dear Colleagues,

Thank you for participating in the working group on children and young people's mental health and social media with officials from my Department and DCMS. We appreciate your time and engagement, and your willingness to continue discussions and potentially support a communications campaign in this area, but I am disappointed by the lack of voluntary progress in those discussions.

We set three very clear challenges relating to protecting children and young people's mental health: age verification, screen time limits and cyber-bullying. As I understand it, participants have focused more on promoting work already underway and explaining the challenges with taking further action, rather than offering innovative solutions or tangible progress.

In particular, progress on age verification is not good enough. I am concerned that your companies seem content with a situation where thousands of users breach your own terms and conditions on the minimum user age. I fear that you are collectively turning a blind eye to a whole generation of children being exposed to the harmful emotional side effects of social media prematurely; this is both morally wrong and deeply unfair on parents, who are faced with the invidious choice of allowing children to use platforms they are too young to access, or excluding them from social interaction that often the majority of their peers are engaging in. It is unacceptable and irresponsible for you to put parents in this position.

This is not a blanket criticism and I am aware that these aren't easy issues to solve. I am encouraged that a number of you have developed products to help parents control what their children an access online in response to Government's concerns about child online protection, including Google's Family Link. And I recognise that your products and services are aimed at different audiences, so different solutions will be required. This is clear from the submissions you've sent to my officials about the work you are delivering to address some of these challenges.
However, it is clear to me that the voluntary joint approach has not delivered the safeguards we need to protect our children's mental health. In May, the Department

for Digital, Culture, Media and Sport will publish the Government response to the Internet Safety Strategy consultation, and I will be working with the Secretary of State to explore what other avenues are open to us to pursue the reforms we need. We will not rule out legislation where it is needed.

In terms of immediate next steps, I appreciate the information that you provided our officials with last month but would be grateful if you would set out in writing your companies' formal responses, on the three challenges we posed in November. In particular, I would like to know what additional new steps you have taken to protect children and young people since November in each of the specific categories we raised: age verification, screen time limits and cyber-bullying. I invite you to respond by the end of this month, in order to inform the Internet Safety Strategy response. It would also be helpful if you can set out any ideas or further plans you have to make progress in these areas.

During the working group meetings I understand you have pointed to the lack of conclusive evidence in this area — a concern which I also share. In order to address this, I have asked the Chief Medical Officer to undertake an evidence review on the impact of technology on children and young people's mental health, including on healthy screen time. 1 will also be working closely with DCMS and UKRI to commission research into all these questions, to ensure we have the best possible empirical basis on which to make policy. This will inform the Government's approach as we move forwards.

Your industry boasts some of the brightest minds and biggest budgets globally. While these issues may be difficult, I do not believe that solutions on these issues are outside your reach; I do question whether there is sufficient will to reach them.

I am keen to work with you to make technology a force for good in protecting the next generation. However, if you prove unwilling to do so, we will not be deterred from making progress.