IoT security expert praises inclusion of connected toys in ICO’s new privacy rules

The UK has published a new code of practice for tech companies, aiming to help enhance the digital privacy of children through design.

Published by the Information Commissioner’s Office (ICO) this week, the Age Appropriate Design Code will apply to any apps, websites, online games, and connected devices likely to be used by children – even if primarily used by adults.

The ICO said in its release: “The code is a set of 15 flexible standards – they do not ban or specifically prescribe – that provides built-in protection to allow children to explore, learn and play online by ensuring that the best interests of the child are the primary consideration when designing and developing online services.”

According to UK’s data privacy regulator, those responsible for designing, developing, or providing online services that fall into this category should adhere to 15 principles that include:

  • Setting privacy settings to their highest level by default, unless there’s a compelling reason not to
  • Not deploying so-called ‘nudge’ techniques that encourage children to weaken their privacy settings
  • Switching geolocation settings off by default to prevent children from being tracked
  • Minimizing the collection and sharing of data
  • Switching profiling functionality off by default to protect children from targeted content

Internet-connected toys, such as talking teddy bears, or smart devices readily used by children, like voice-activated ‘home hub’ speakers, should also be suitable for a child’s use in their default settings.

Developers of internet of things (IoT) devices should also minimize the passive collection of children’s personal data, make devices usable while offline, if feasible, and offer the capability to create child-friendly user profiles.

Ken Munro of Pen Test Partners, who specializes in probing IoT devices for vulnerabilities, noted the UK rules’ similarity to US Federal Trade Commission’s 1998 COPPA Rule, but praised the addition of connected toys.

“It requires vendors involved in smart kids’ toys to be much more up front about how and where they process children’s data,” he told The Daily Swig.

“Our research several years ago showed several smart toys that sent data overseas for processing, including My Friend Cayla, where data from children was sent to the US.”

One-year transition period

Companies will have a one-year transition period, with a “substantial package of support”, to comply with the new rules.

Elizabeth Denham, the UK’s Information Commissioner, said: “One in five internet users in the UK is a child, but they are using an internet that was not designed for them.

“There are laws to protect children in the real world – film ratings, car seats, age restrictions on drinking and smoking. We need our laws to protect children in the digital world too.”

Ken Munro suggested the code of practice might only be effective if backed by strong enforcement.

“Whilst this is a big step in the right direction, I will reserve judgement on its effectiveness until the 12-month transition period for vendors to update their services and terms has expired,” he said.

“Only then will we see if manufacturers have responded effectively, or whether the regulators ‘stick’ is required to bring them into line.

“I think the ICO will need to be ready to enforce, or we will continue to see lip service being paid to our children’s privacy.”

Fennel Aurora, security adviser at cybersecurity company F-Secure, welcomed the new rules but said “it is very hard to see any justification for limiting these rules to protecting only children – we all deserve an internet where we are protected from targeting, harassment, and invasions of privacy.”

The ICO told The Daily Swig that the Age Appropriate Design Code falls into the framework of GDPR, meaning companies could be liable to paying fines if found in violation of the new standards.


READ MORE The UK’s Computer Misuse Act is ‘crying out for reform’