By Sonia Livingstone and Kruakae Pothong
Whether tiny start-ups or global players make digital products used by children, there’s a minefield of standards and regulations to keep up with. After all, the digital ecology encompasses a heterogenous mix of digital products and services used by children, the organisations that develop them come in all shapes and sizes, and the standards and regulations that relate to them are equally heterogeneous.
Designers and developers interviewed for our work on Guidance for Innovators tell us it’s hard to know where to look to be sure of keeping up with the relevant requirements. It’s also hard to know which part of an organisation is responsible for briefing the designers or when, in the design flow, information about standards and regulations is most needed. This may help explain the compliance gap we document below.
Providers of digital products used by children state compliance with few regulations and standards
Early in 2022, we checked the websites of a wide range of digital products and services that children use, including console and mobile games, wearables and smart toys, EdTech and digital health services. We wanted to see which standards and regulations providers say explicitly that they comply with (Figure 1).
We found a considerable compliance gap among digital products likely to be used by children. Our top 7 findings are:
- Across the websites of 52 products and services, we found claims of compliance with 25 different standards and regulations.1
- On average, each company claimed compliance with 5.1 standards and regulations. Although low, this is higher than the average of 2.5 when we last checked in July 2020.
- Most often, compliance was claimed with modern slavery legislation (35 out of 52 products).
- Next was data protection & privacy – 27 out of 52 products and services claimed compliance with data protection regulation (e.g., UK GDPR), and 23 referred to privacy frameworks (e.g., COPPA), with a few more noting cross-border data transfers compliance.
- Few products claimed compliance with security standards (e.g., ISO 27001, ISO 27017, PCI DSS), though more in 2022 than 2020, notably by global businesses.
- Compliance with non-discrimination requirements is mainly claimed in the video-on-demand service sector, referring to the provision of accessibility features such as audio description, subtitling or captioning. However, by 2022, gaming and EdTech providers also refer to these.
- Just seven of the 52 products and services explicitly claimed compliance with product safety standards and consumer protection regulations in 2022, a moderate increase from 2020.
Figure 1: Claimed compliance with standards and regulations for 52 products
Despite increased stated compliance across products and services from our initial research in 2020, it remains low. Compliance appears limited to standards and regulations seen as having “teeth” – either expensive penalties or restrictions on market entry. The standards and regulations that companies claim compliance with concentrate on hygiene factors to address problems rather than ways to enhance children’s rights.
The mobile gaming sector performs poorly
The least compliance was found in the mobile gaming sector (see Figure 2). We saw improvement in three products (GarageBand, Pokémon Go and Helix Jump) – these now state compliance with 3 or 4 standards and regulations (back in 2020 they stated none). But 5 out of 8 products and services in the mobile game sector only implied compliance with some standards and regulations.
The digital health, EdTech and parental control software sectors also exhibited a relatively low level of stated compliance. Video on Demand (VoD), video games, children’s programmes, search engines, video games and social media sectors showed low to moderate levels of stated compliance.
Figure 2: Compliance with standards and regulations claimed by each product
Which standards and regulations apply to which products?
The low level of stated compliance becomes a concern when the products and services contain features and functionalities likely to be in the scope of various standards and regulations. Table 1 (Annex) maps those relevant to the 52 sampled products and services likely to be used by children.
For example, one would expect that the tracking functions and internet connectivity embedded in health apps warrant an explicit statement of compliance with regulations and standards in relation to data protection and privacy, non-discrimination, consumer protection and security. It becomes worrying that none of the 3 health apps that we examined stated compliance with security measures, such as vulnerability disclosure or security standards.
One would expect the same for EdTech services given that they process considerable personal data including judgments of behaviour. And the same could be expected of mobile games given their use of in-app purchases. However, most products in these categories stated compliance only with data protection and privacy regulations, but not security, non-discrimination or consumer protection standards and regulations.
By contrast, the game console, domestic IoT, wearable and coding toy sectors stated relatively high compliance with diverse standards and regulations. This may be because the cyber-physical nature of the products puts them within the scope of more standards and regulations than web-based or on-demand broadcast services that do not allow user-generated content or communication features, such as BBC iPlayer, CBBC or Bitesize.
Child rights by design is needed!
What regulations and standards should products and services used by children comply with? Are these sufficient to ensure children’s best interests are met? Why is claimed compliance so low, and should it be raised? What external factors (such as regulation or incentives) or internal factors (such as organisational culture or ethical policies) could drive improvements?
Granted that the standards and regulations we list are long and rather fragmented. This makes it difficult for companies, especially start-ups, to navigate the standards and regulatory landscape.
However, help is available and in open access form! The IEEE Standard for an Age Appropriate Design Services Framework based on the 5Rights Principles for Children (IEEE 2089-2021) is a comprehensive starting point for businesses offering digital products and services likely accessed by children. This IEEE standard provides practical steps that will guide designers and developers to consider the diverse requirements of children in relation to different design elements and data processing relevant to their products or services.
What’s next? The DFC is working on the Child Rights by Design Toolkit, which will identify and explain the child rights issues that arise during design and development processes. The toolkit will come ready with relevant regulations, standards, activities, questions and resources.
 It is possible that products and services are compliant even though the company has not stated this publicly. Also, not all regulations and standards apply to all products and services.