UK Children’s Code sets the pace as one of several international initiatives

The UK government is planning in the coming months to deliver its response to its consultation on the reform of the UK Data Protection Act covering direct marketing, international transfers, anonymisation, research and much else. With so many subjects to address, both the government and John Edwards, the new Information Commissioner, must be pleased that the entry into force of the ICO’s Children’s Code on 2nd September 2021 was a task completed under the leadership of his predecessor. The statutory basis of the UK code, with its 15 standards, gives the ICO strong enforcement options which we will see being deployed in due course.

Such powers focus the attention of companies providing online services to young people and those services which are likely to be used by them. The code is not designed to shackle creativity or innovation. As the ICO has stated: “This code seeks to protect children within the digital world, not protect them from it.”

The UK’s initiative is part of a wider international effort. The impetus to better protect children against inappropriate targeting of young people and collection and processing of their personal data has also been powered by initiatives in several other countries. For example:

  1. Ireland’s Data Protection Commission published in December its Fundamentals document (PL&B International Report February 2022) and is leading a European Data Protection Board group on children’s issues including DPAs from France, Denmark and other countries. It is expected to lead to a European Economic Area wide policy document by the end of 2022.
  2. France’s CNIL is very active in the area of protecting children online, and has published eight recommendations on the digital rights of minors.
  3. In the US, President Joe Biden, in his State of the Union address on 1st March made this one of his four unity agenda items: “We must hold social media platforms accountable for the national experiment they’re conducting on our children for profit…It’s time to strengthen privacy protections; ban targeted advertising to children; demand tech companies stop collecting personal data on our children.”

Meanwhile California’s Attorney General, Rob Bonta has recognised the specific needs of parents and their children. On his webpage Protecting Your Child's Privacy Online, he explains that the state law requires a commercial web site which collects personal information to post a privacy policy. The policy must list the kinds of personal information the site collects. It must also tell if it shares that information with outside companies and the kinds of companies involved.

Furthermore, the California State Assembly has introduced a new bill to protect children’s data online apparently based on the ICO’s Children’s Code.

Recognising children’s rights can readily attract consensus. Everyone can support, in principle, the “best interests of the child” enshrined in the United Nations Convention on the Rights of the Child. Other international organisations, including the Council of Europe, are also working on strengthening the rights of the child.

As several tech companies are based in California, their top managers clearly understand the need to be seen to be taking action. As a result, California-based tech companies, such as Google and Meta (formerly known as Facebook) are now giving this framework more attention. Regulators, privacy advocates, and others want to see changes in the way tech companies behave.

While preparing for Privacy Laws & Business’s 16th March webinar Helping young people to better protect their privacy and safety online, I learned that Meta alone has some 500 staff working on children’s issues in many different ways. We will learn more during the webinar and I invite you to register and put your questions to the Privacy Policy Manager, EMEA for Meta and other members of the panel comprising: the Acting Head of Children’s Policy at Ireland’s Data Protection Commission; leading academics; the ISFE, Brussels, representing Europe’s video games industry; and the Executive Director, The Age Verification Providers’ Association.

Time for PL&B to resume live events

We at PL&B have run many online events during the pandemic and have attracted thousands of people from many countries all over the world. As a result, in addition to continuing to run webinars, we will run some of our future events in hybrid in-person and online formats, including:

  • Making your case in Europe: Defending against DPA inquiries and sanctions on 18 May which will be a live/online conference in cooperation with Latham & Watkins, London. Speakers will include partners from France, Germany, Ireland and the United Kingdom, and
  • Winds of Change, PL&B’s 35th Anniversary International Conference, 4-6 July at St. John’s College, Cambridge. The first speakers and their sessions are now listed on our website. More speakers will be added in the coming weeks. Registration is now open.

While there is a tangible desire to get back to in-person events, and this kind of networking is ideal, we recognise that there will always be people who cannot travel as they might wish. Therefore, everyone registered for these events will be able to see the recorded sessions whenever they want.

I pay tribute to and thank the PL&B editorial, events and admin teams, who throughout the last two years have achieved a consistent high quality of content and a reliable service in such a difficult period.

Best regards,

Stewart Dresner

Publisher, Privacy Laws & Business

March 2022

News & Blogs

March 2022 Report Contents

Next