Uncategorized

Why minors need to be at the center of digital design

People under the age of 18 are spending more and more time online. To prevent misuse of your data, the Information Commissioner’s Office in Great Britain has issued the Age Appropriate Design Code. Our guest author explains why this is also relevant in Germany.

Whether homeschooling via video conference or a digital meeting with the sports club: In recent months, more and more children have gone online for the first time. Of course, it’s not just about chatting with the teacher. The young media users also use this opportunity to discover many other offers on the Internet. However, the Internet is designed for adults. In the meantime, however, there are protective mechanisms for under 18-year-olds, such as the GDPR in Europe. To ensure compliance, the UK has created the new Age Appropriate Design Code (AADC), a set of rules for responsible design.

In practice this means that companies have to develop the design of their digital solutions based on the protection of the personal data of under 18-year-olds. An infringement will result in fines of up to 20 million euros or four percent of the company’s worldwide annual turnover from the previous financial year. The AADC, like the GDPR itself, is extraterritorial and therefore takes effect as soon as a company processes data from a child from Great Britain. This means that programmers, designers or content creators must already consider the moral, ethical and data protection appropriateness for young addressees when developing their games, digital content and services. Obtaining parental consent is no longer enough. But how does the implementation work?

Perform a Data Protection Impact Assessment (DPIA)

Every company that operates a website, an app, a connected device or another digital service and has users who are not yet of legal age or cannot rule out use by younger users should carry out an assessment of the effects on their own data protection (DPIA ) carry out. It is important for the operator to take a closer look at the data that they collect and process. An adjustment in the design of the product may have to be made in order to comply with the new guidelines. The aim should always be to act in the best interests of the children. AADC clearly defines that companies violate the decision if they do not use data in the best interests of the children. Factors such as the child’s age, psychological and emotional development and well-being are subsumed under best interest.

A first step for companies is the implementation of measures to carry out an assessment of the age structure of the users, which is adapted to the risk of data processing. These could be age restrictions, but also checks on proof of identification. If a company cannot accurately determine the age of its users or does not want to inquire about it, it should implement the policy in such a way that it applies to all users. This is the only way it can ensure that it does not violate the regulations. But that also presents a fundamental challenge: verifying the age of a user without asking too much personal information.

Process data in accordance with AADC and GDPR

Since the publication of the first draft of the AADC last year, the guidelines for the use of collected data have been weakened somewhat. Nevertheless, the code strictly regulates how operators can use personal data. For example, the final draft stipulates that companies must give a child the opportunity to pause a game. The game progress must not be lost, even if, for example, the structure of the game level or the reward mechanisms for a game are designed to extend the game time. Responsible design also discourages mechanisms aimed only at increasing engagement, increasing sales, or manipulating children’s behavior. A much-discussed topic in this context from the gaming area is, for example, loot boxes. A loot box is a container in a video game that contains a random selection of items. They are either completely free of charge for the players – or they have to pay in increments for the box or its opening. The latter is being discussed increasingly critically, as the principle works in a similar way to gambling.

Almost finished!

Please click on the link in the confirmation email to complete your registration.

Would you like more information about the newsletter? Find out more now

More importantly, however, the prohibition on using personal data to recommend content that is not in the best interests of the child. It doesn’t matter whether it’s advertising or content personalization. This provision targets influential referral tools that attempt to increase user activity on social media platforms through methods such as nudging, or encourage them to lower their privacy settings. The privacy settings must always be set to “maximum” for children.

Implementation of standards against bullying and co

If the risks that children are exposed to on a company’s platform are high, then child safety must be a top priority. If operators of digital products say in their own guidelines, for example, that they do not tolerate bullying, then they have to install mechanisms to ensure that this is also the case in practice. The initiator of the Age Appropriate Design Code, the Information Commissioner’s Office (ICO), justifies its responsibility here on the basis of the term “fairness”. The ICO declares that companies that do not comply with data protection standards do not offer a fair service and are therefore not “fair” themselves, which in turn violates the GDPR.

The data minimization policy is intended to prevent the unnecessary use of data from children. The ICO stipulates that blanket consent to data processing is unacceptable: “Children should have as much freedom of choice as possible about which elements of an online product or service they want to use and thus also how much personal data they want to make available “Conversely, this means that companies have to look at every function of the website or service independently of one another. This is the only way they can determine exactly on what basis they are allowed to collect personal data from children and on which they are not.

The UK Age Appropriate Design Code is expected to come into force in September 2021. As developers, brands and web publishers prepare for the late summer deadline, other European regulators are already following in the footsteps of the ICO and are about to introduce their own standards or guidelines on children’s privacy. Examples are Ireland, the Netherlands and France. So it is also important for companies and brands not related to Great Britain to deal with it now and to adapt the design of their products and to think about this topic right from the start. Because children are now an integral part of the Internet and, more than anyone else, need a secure online experience that complies with data protection regulations.

You might be interested in that too

Leave a Reply

Your email address will not be published. Required fields are marked *