Skip to main content

Keeping Children Safe Online (Webinar) – Key Takeaways

31 August 2022

Bryony Long and Nick Allan were delighted to welcome experts from Frankfurt Kurnit Klein & Selz and Ukie (The Association for UK Interactive Entertainment) to discuss current challenges in keeping children safe online, particularly in the context of games.

For those who were unable to attend the webinar, the recording is available here, and the four key takeaways from the session are:

1. The UK Children’s Code (Age Appropriate Design Code)

In the UK, the Information Commissioner’s Office (ICO) Children’s Code is the key piece of guidance. The Code is made up of 15 standards (core principles, service design principles, and standards for key data processing activities) which, together, require high privacy by design when it comes to children’s data. The Code applies to UK-based online service providers and non-UK based providers providing a service in the UK where the service is likely to be accessed by children.

To date we have seen no enforcement of the Code. The ICO seems more focussed on working with companies to get this right, particularly when it comes to the games sector. This collaborative approach aligns with that set out in the ICO’s strategy plan ICO25, and while ‘high risk sectors’ have been identified as social media platforms, video and music streaming services and video gaming platforms, the rhetoric remains the same and the “ongoing engagement programme” continues.

One of the benefits of this approach is the plethora of useful, pragmatic guidance, e.g. the design guidance, self-assessment risk tool and the transparency best practice, as well as the ICO Sandbox projects involving Yoti and Seers - to name but a few! That said, no-one should rest on their laurels, demonstrating compliance with the Children’s Code, and at the very least a well-progressed roadmap, would be expected should the ICO come knocking on the door…and of course it will be interesting to see what comes from the ICO’s review of the Code, that is due in Autumn 2022.

For more on the Children’s Code and what it means in principle and practice see our Lexis Nexis webinar, The Children's Code (2022) - Webinars (lexiswebinars.co.uk).

2. All eyes on the UK Online Safety Bill

The Online Safety Bill places a number of duties of care (such as to prevent harm or take down harmful content) on the providers of regulated internet services, with additional duties being placed on services likely to be accessed by children. All companies who are in scope must assess the risks and take action to address illegal activity that threatens the safety of children, as well as preventing access to material that is harmful for children, e.g. pornography, and ensuring there are strong protections from activities that are harmful to children, e.g. online bullying. Companies will also be required to provide reporting mechanisms both for children and parents, as well as having a duty themselves to report any child sexual exploitation and abuse content the platform encounters to the National Crime Agency.

Ofcom will be appointed as the regulator for the Online Safety regime and will have a wide range of powers including the power to fine up to £18 million or 10% of global annual turnover (whichever is higher) or apply to court for business disruption measures which could ultimately mean blocking non-compliant services. In addition to this Ofcom will be able to use “proactive technologies” to identify illegal content and to ensure children aren’t encountering harmful material, as well as being able to bring criminal sanctions against senior managers who “fail to ensure their company complies with Ofcom’s information requests, or who deliberately destroy or withhold information, should companies fail to take the new rules seriously”.

In its current form, the Bill applies to several types of services, including user-to-user services, where user-generated content is uploaded by, and shared with, other users. This is particularly relevant for distributors of multiplayer games (or games with multiplayer modes). Games companies are keeping a watchful eye on the Bill, but none want to move first to invest in the technology required for compliance until things are finalised. Although the Bill is delayed (and may be kicked into the long grass for some time), in the future, it may not be possible to ignore the structural changes it requires.

3. In the US, COPPA is the name of the game

Across the pond, the Children's Online Privacy Protection Act (COPPA) still regulates the online collection of the personal data of children under the age of 13 (including children outside the US). COPPA imposes certain requirements on operators of websites or services directed at children, and on operators of websites or services that have actual knowledge that they are collecting the personal data of children. Among other things, COPPA sets out what website operators must include in their privacy policy, and what steps operators must take to obtain verifiable parental consent for the collecting of the data of children. Enforcement action from regulators in respect of children’s data is more common in the US than in the UK, with the Federal Trade Commission and CARU (the Children’s Advertising Review Unit) cracking down on a host of operators this year already.

Alongside COPPA, some states (including California, Virginia, Colorado, Utah and Connecticut) have comprehensive privacy laws of their own, and the day after our webinar two federal bills to protect children and teenagers’ online privacy were passed out of the U.S. Senate Committee on Commerce, Science and Transportation. The first proposing to extend the scope of COPPA to children under the age of 17 and second a unanimous vote passed the Kids Online Safety Act (KOSA) which features a duty of loyalty clause requiring technology companies to prevent harm to minors while mandating more transparency in their algorithms for users and researchers. While these bills have a way to go it will be important to follow these developments closely.

The UK’s Information Commissioner has also been state-side this year, at the IAPP Global Privacy Summit in Washington DC in April and speaking with Californian law makers about the California Age Appropriate Design Code, which draws on the ICO’s Children’s Code. The dialogue won’t have been a one way street though, the ICO will have been taking a hard look at the laws in the US and the accompanying enforcement activity to see what lessons can be learned. While there are differences in approach between the US and the UK, protecting children’s data is a high priority for both countries and sharing best practice and leading by example is indicative of a desire to influence global change.

4. Balancing compliance

With different regulatory approaches across the world, it can be difficult for companies to strike the correct balance between regulatory compliance and operational freedom, and a one size fits all international approach. There is no golden standard, so companies should look carefully at children’s data protection regulations and guidance in all jurisdictions and adopt a sensible, risk-based approach.

For those with a presence in the US, COPPA has to be the starting point, however building in the ICO’s Children’s Code concepts would be prudent as the direction of travel is clear. As for those in the UK, compliance with the Children’s Code is essential. While the Code might not be being actively enforced at present, the time for talking will give way to the time for action, so building in the Children’s Code concepts will be a key privacy by design requirement going forwards. For our Continental cousins, there are codes and recommendations to comply with, and the EU do not share the UK’s sense of proportionality so it is certainly a case of when, rather than if, we see enforcement action across the Channel.

Conclusion

Children’s data is clearly an area of regulatory focus around the world, with many countries recognising the need to keep children safe online in a borderless digital world. It is important to keep on top of the upcoming changes and build these into your systems, policies and processes.

While the UK is currently a more lenient jurisdiction in terms of enforcement, preferring the collaborative approach at present, it remains to be seen how long this will last given the more prescriptive nature of the law and guidance. And what about the Online Safety Bill? We should find out more in the next few weeks…

On the topic of legislation, with changes afoot in the US it will be equally important to monitor developments and assess how they impact your organisation.

If you have any questions or we can be of any assistance please do not hesitate to contact Bryony Long, Nick Allan, Daniel Goldberg, Gregory Boyd or your usual Lewis Silkin/Frankfurt Kurnit Klein & Selz contact.

Related items

Related services

Back To Top