A key to Unlocking the Business Use Case for Age-Appropriate Design Codes (AADC)
Age-Assurance is easier than some want you to believe.
Opposition to the global trend of Age-Appropriate Design leads the press, but rarely have I seen the pro-business case for it. I aim to start filling that gap.
I drafted AI audit certification schemes on a global scale, I write on Age-Assurance, and have been on children’s data privacy panels, which supports my credibility in the Age-Appropriate Design (AAD) space. I have a unique perspective on the business use case that comes from my 25+ years in finance and investment management. I understand how to formulate a business strategy and product development that is client/ user centric. There is an amazing competitive advantage to be gained by following AADC’s. Immense stakeholder value will be created. (Yes, this includes shareholders, but encompasses employees, users, parents & children.) My intention is to either keep your attention and teach, as I take a comprehensive approach in solving this issue, or have you contact me to discuss this for your business directly. KidsTechEthics is a leading AAD solutions provider that uses an engineering-oriented approach to uphold the legal principles.
Age-Appropriate Design is fundamentally about understanding the age of your user and prioritizing the best interests of a child user alongside those of the commercial interests of your business. This principle is critical for board members, investors, advisors, or founders of startups to understand.
Most current market-place solutions, such as facial detection and age-estimation tools, lack precision, and by that, are insufficient to pass an AI audit. (This is a better mouse trap)
Carrot vs. The Stick
There comes a stick if you choose not to comply. It can be a large looming one. Although the first “juri-stick-tion” that was empowered to uphold Age-Appropriate Design, that being the Information Commissioners Office in the United Kingdom, rendered itself very weak in the matter. No real consequence; hence no real change of behavior. (One of many cases in point, the ICO fined TikTok, a business with over $80bln of revenue, a fine of $12m.) A pittance. Several states in the U.S. began passing their own Age-Appropriate Design Codes with fines ranging from $2,500 per child for negligence, to $7,500 for gross negligence. I can easily argue $7,500)
There are four age categories that a business could now be subjected to following: under 13, 13-17, 18+, and 21+. While AAD concerns itself with those under 18, a website may have material that is focused on an age of 21, i.e., alcohol. We shall address this further; later.
A child under the age of 18 is afforded certain rights, while we will not go into all of them here, privacy and data protection are amongst the highest priorities for governments and parents alike.
Some legacy laws in the US, such as COPPA and the FTC Safe Harbor are shading a false sense of security on compliance. One must ensure to include proper handling of data and process so as not to run afoul of the elevated AADC demands.
Parental consent for those under 13 is in both COPPA and AADC. The sticky part is that no further personal information can be gathered from either a child or parent during the age-verification process. You must hold that PI in quarantine. Sorry, too soon from the pandemic?? How this will be enforced, or grandfathered for those previously having given consent is to be seen.
If your business uses third parties, they too must be compliant. This means that if you collect data from either a child, or parent, and then have your third parties use that data for advertising or behavioral related recommendation engines, that process would not be sufficient to pass an independent AI audit. Your third-party processors must also be compliant for you to be compliant.
A common practice appears to be one that gains parent consent and has the parent simultaneously opt-in to behavioral based AI systems. It also seems SOP that advertising models then run however they see fit. Now this process has been available for well over 10 years and I raise the question of whether the Attorney Generals will find this practice acceptable, when the laws state otherwise. Let's say it is passable, the next point may be harder to demonstrate.
Going back to a question arising from fundamental point number one: How does your system, online product, service, or feature support The Best Interests of the Child? A tool called the Data Protection Impact Assessment will hold your answers. Larger companies know of these tools more so than that of smaller ones. Large enterprises have been doing Impact Assessment for years with GDPR.
Your Data Protection Impact Assessment will discuss how you envision your AI system to work, what data you intend to collect, process, and store, and furthermore, how you intend to use that data for your behavioral recommendation engines. This DPIA must be done prior to development and be kept current throughout the lifecycle of the business. At many points during an AI audit, criteria call out for demonstrating that your actions are core to the service you provide. Again, document in the DPIA.
Complete the DPIA and demonstrate how your systems upholds the BIOC and how it is not detrimental to the well-being of the child, and you have completed what I call the middle school math problem; show your work and you should receive substantial credit. Doing it in good faith would appear to easily remove yourself from the category of gross negligence. This is not only your great compliance and defensive strategy, but also the greatest map for building a tremendous business. The DPIA is your greatest offensive coordinator imaginable.
Assuring the age of your user is not as difficult as many claim it to be. The widespread fears of using or requiring one to give their driver's license or have their face used to gain access to every website, is understandable as many organizations have not earned enough trust to enable this form of verification. It is easy to see why opponents wish you to believe we should do nothing, but there is a simpler, privacy-centric and globally harmonized compliance alternative. That too is a secret sauce I have in development.
What to do?
Learn more about Age-Appropriate Design:
If you are a board member, investor, advisor, or founder of a start-up, it is critical to understand the principles of Age-Appropriate Design. This material is not solely to be decided by engineering or your trust and safety teams. GDPR Children’s Codes and California audit schemes specifically call that top management and oversight bodies shall ensure governance and oversight. While this article provides a good starting point to learn more about the concept, you should also consider specific training and educational sessions. We can help steer those meetings and even provide Continuing Legal Education for Ethics. MCLE.
Begin implementing Age-Appropriate Design Codes today:
There is an amazing competitive advantage to be gained by following Age-Appropriate Design Codes (AADCs), and immense stakeholder value will be created. If you are running a business that caters to children, you should consider implementing AADCs to ensure that you are putting the best interests of the child user at the top of your priority schedule. We can provide perspectives on the balance of the commercial interests of the business and those of the best interest of the child.
Complete a Data Protection Impact Assessment (DPIA):
To ensure that your systems uphold the best interests of the child and are not detrimental to their well-being, you should complete a DPIA. This tool will help you to envision how your AI system will work, what data you intend to collect, process, and store, and how you intend to use that data for your behavioral recommendation engines. Completing a DPIA in good faith is not only a great compliance and defensive strategy, but also the greatest map for building a successful product. At KidsTechEthics, we created a DPIA with cost effectiveness in mind and can deliver expertise to ensure development of AAD throughout your organization.
If you are not ready to begin, or wish to gain further knowledge on the topic, I encourage you to subscribe to this Substack or follow me on LinkedIn.
If you have specific questions, or wish to discuss cost and timelines, connect on LinkedIn or email me at jeff (dot) kluge (at) HolisticEthics (dot) com