MODEL GUIDELINES ON
AGE-APPROPRIATE DESIGN FOR ONLINE SERVICES

About The Model Guidelines

The Model Guidelines on Age-Appropriate Design for Online Services, which are the first of their kind in Africa, are a set of principle statements on how to ensure that online service providers appropriately safeguard children’s privacy. The Model Guidelines take a proactive approach to addressing the safety and privacy of children online by focusing on the design-stage of online products and services. The Model Guidelines have been drafted in the context of South Africa’s Protection of Personal Information Act, 2013 and are therefore arranged in accordance with its eight processing conditions. 

 

The Guidelines have utility for a range of organisations (both public and private). This includes industry (advertisers, marketers, eCommerce operators, website and platform owners and developers), industry bodies/associations, and Regulators. They can be considered, consulted and benchmarked against when designing, structuring, and assessing online services with children’s privacy in mind. 

 

The Guidelines were developed by EndCode as part of Impact Amplifier's Africa Online Safety Fund Grant.

Endcode Logo Black.png
Best Interests of the Child

Best Interests of the Child

Encode_Icons-03.png

Minimal

Processing

Footprint

Encode_Icons-04.png

Be 

Purposeful

Encode_Icons-08.png

Dedicated Security Safeguards

Encode_Icons-02.png

Adequate

Consent

Encode_Icons-05.png

Restraint in Use of Information for Other Purposes

Encode_Icons-09.png

Children Must be Empowered to Participate in the Management of their Purposeful Information

Encode_Icons-07.png

Transparent and Accessible Privacy Practices for

Children

Encode_Icons-06.png

Ensure High Quality Personal Information

Best Interests of the Child

When designing and developing online services or products that
can be accessed by a child, the best interests of the child should
be a primary, overarching consideration. In doing so, online
service providers should take steps to understand their audience
and the recipients of their online service or product, and
implement appropriate processes to ensure that the best
interests of the child are embedded throughout the online
service or product.

 

Minimal Processing Footprint

Online service providers must only collect and process personal information of children insofar as it is required to provide the intended online service or product.

 

Be Purposeful 

Online service providers must be clear about the specific purposes for which they require personal information. In doing so, they must be consistently guided by these purposes when designing, developing and operating an online service or product, and limit these purposes when a child may access, use, receive or engage with an online service or product.

 

Dedicated Security Safeguards

Online Service Providers must implement appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of children’s personal information. In assessing what measures are ‘appropriate’, Online Service Providers must consider:

 (i) the types of personal information collected;

(ii) the ways in which it will be used;

(iii) how long it will be kept;

(iv) who it will be shared with;

 (v) what internal and external risks exist in relation to the information. Where the security of a child’s personal information has been compromised, effective measures must be in place to notify the child in a manner appropriate to the child’s age and degree of maturity, and where appropriate, the relevant competent person.

 
 

Adequate Consent

When collecting and using personal information belonging to a child, online service providers must ensure that they have obtained complete and adequate consent to do so. After obtaining consent, it must be as easy for a child or guardian to withdraw it, as it was to give it.

Restraint in Use of Information for Other Purposes

Online Service Providers must exercise restraint and be transparent before using or sharing personal information of children for purposes that go beyond the scope of the original intended purpose for collecting and using such personal information. In doing so, Online Service Providers must always assess the lawfulness, reasonableness, compatibility, and potential consequences for a child before using
personal information for any additional purposes.

 

Children Must Be
Empowered to Participate in the Management of their Personal Information

Online Service Providers must design and implement tools and processes to enable children to access, alter, update, delete and download their personal information, as well as seek assistance from, and lodge complaints with, the Online Service Provider. In doing so, these tools and processes should be appropriate to the varying ages and degrees of maturity of the child.

 

Transparent and Accessible Privacy Practices for Children 

Online Service Provides must ensure that the ways in which they collect, use and share personal information are transparent and easily understandable for children at their varying ages and degrees of maturity. In doing so, Online Service Providers must also ensure that such information is easy for children to locate and navigate, and that children are provided with sufficient explanations and guidance to enable them to understand the consequences of using the online
service or product.

 
 

Ensure High Quality Personal Information

Online Service providers must take appropriate technical and
organisational measures to ensure that all personal information of children that is collected or generated, is accurate and up to date. These measures must also make it easy for children, at their varying ages and degrees of maturity, to rectify any personal information that they have provided or that has been generated about them.

©2023 by EndCode.