It has been reported today that TikTok are facing a legal claim on behalf of millions of children in the UK and the EU. The claim is being backed by England's former children commissioner over how TikTok collects and uses personal data.
The claim will allege that TikTok collects personal data from children, including more sensitive data, such as exact location data and biometric data without sufficient warning, transparency or the necessary consent required by data protection law, and without children or their parents knowing what is being done with that personal data. The claim will also allege that this personal data is transferred, for profit, to unknown third parties.
TikTok is also currently under investigation from the Information Commissioner's Office (ICO). The ICO has reported that is conducting an investigation into TikTok's compliance with UK data protection law and intends to publish its findings later this year.
In response to today's announcement, TikTok has stated that the claim lacks merit and it intends to vigorously defend the action.
The press coverage of this claim is a timely reminder that the ICO's Age Appropriate Design Code (known as the 'Children's Code') came into force on 02 September 2020 with a 12 month transition period to give organisations time to prepare. This transitional period will end on 02 September 2021 and organisations are expected to achieve compliance with the Children's Code by 02 September 2021.
Who does the Children's Code apply to?
The Children's Code applies to "information society services likely to be accessed by children" in the UK. This includes apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet. It is not restricted to services specifically directed at children.
What are the key points to the Children's Code?
The Children's Code sets out a number of key points which information society services must take into account when designing and developing online services for children. These are as follows:
- The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by children;
- You must undertake a Data Protection Impact Assessment (DPIA) to assess and mitigate risks to the rights and freedoms of children who are likely to access the service. This should take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code;
- The age range of your audience and the different needs of children at different ages and stages of development should be at the heart of how you design your service and apply this code;
- The privacy information you provide to users must be concise, prominent, and in clear language suited to the age of the child. Additional specific 'bite-sized' explanations about how you use personal data at the point that use is activated should also be provided;
- You must not use children's personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or government advice;
- You must set, and adhere to, your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies);
- Settings must be 'high privacy' by default;
- Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate;
- You must not disclose children's data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child;
- You must switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active;
- If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child's online activity or track their location, provide an obvious sign to the child when they are being monitored;
- You must only permit profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing);
- You must not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections;
- If you provide a connected toy or device, ensure you include effective tools to enable conformance to this code; and
- You must provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
The Children's Code seeks to protect children within a digital world where children's personal data is being recorded by organisations as they grow up. Conforming with the Children's Code will ensure that you take into account the best interests of the child and avoid the action faced by TikTok by both the ICO and in the civil courts. Additionally, the UK has recently introduced its Online Safety Bill which will set additional duty of care requirements for tech platforms.
For more information contact Bethany Paliga in our Governance, Procurement & Information department
via email or phone on 01254 222347.
Alternatively send any question through to Forbes Solicitors via our online Contact Form.