Communications Authority releases draft guidelines to protect and keep children safe online
Digital access is no doubt double edged. On one hand it exposes children to a wealth of benefits and opportunities, but on the other a host of risks, including access to harmful content, sexual exploitation and abuse, cyber bullying, and misuse of their private information. Against this background, the Communications Authority of Kenya (CA) has released the draft industry guidelines for child online protection and safety in Kenya, 2022 (Guidelines) that aim to enhance the safety and protection of children online.
The Guidelines, which have been issued by CA pursuant to the Kenya Information and Communications (Consumer Protection) Regulations, 2010, form the basis for the design, development, deployment, commissioning, use, management, sale, marketing and publicity of communication products and services in Kenya that may be accessed and/or targeted for use by children. It also provides safeguards for children’s access to and use of ICT services in Kenya.
The Guidelines will apply to all persons licensed by CA under the Kenya Information and Communications Act, 1998 (KICA) once they are executed and published by the Authority. They will also apply to product and service providers in the value chain in the design, production, deployment, use of communication products and services in Kenya and all products and services targeting children, including children living with disabilities.
The Guidelines will take effect within 6 months after their approval.
Below is an overview of the key requirements of the Guidelines.
| Industry Guidelines | Summary of compliance requirements | Impact | |
| 1. | Guidelines for implementation of organisation measures by the industry | Develop a corporate child online protection and safety policy and strategy. This should, among others, entail: 1. Strategy for the development of productive and appropriate products and services. 2. The core values and culture that promote child online safety and protection. 3. The mechanism to infuse child online protection and safety issues, risks and opportunities into the design and development of products and services. 4. A structure of the personnel and resources for the implementation of the corporate policy. 5. A feedback mechanism for customers. 6. Processes and procedures to facilitate the design and implementation of safer products and services for use by children. 7. Training and capacity building for all staff on the operationalization of the organizational measures to protect children online. 8. Rights and responsibilities of children, parents and guardians relating to security and safety features in the organization’s products and services. 9. Reporting mechanism. | Organisations will need to thoroughly review, understand and develop or update their child online protection and safety policy in line with the guidelines. Organisations will also need to appoint an officer who will act as the contact person on child online protection and safety issues. This is likely to introduce new compliance costs for entities operating in the ICT sector. |
| 2. | Guidelines for implementation of technical measures by the industry | 1. Develop Internal procedures to ensure compliance under local and international laws on combating Child Sexual Abuse Material and local laws on data protection. 2. Develop Information security practices in line with the Authority’s General Information Security Best Practice Guides for Kenya. 3. Develop technical safety and security tools and measures at the device level, network level and service level that fosters safer internet experiences.Incorporate privacy-by-design principles. 4. Develop age-verification mechanisms in the deployment of communication products and services to facilitate children’s right to freedom of expression and access to information. 5. Develop and publicize notice and takedown and reporting processes. 6. Develop and publicize the processes for handling complaints and enquiries on online violations of children’s rights. 7. Adapt and implement heightened default privacy settings for collecting, processing, storing, selling, and publishing personal data gathered from children. 8. Develop a mechanism to foster local innovation of technical tools and measures for child Online safety and protection. 9. Support law enforcement in the event of criminal investigations through such activities as capturing evidence. | Organizations will need to put in place robust systems, processes and procedures to ensure implementation of the technical measures. Organizations should conduct regular compliance health checks to monitor the level of compliance. |
| 3. | Specific Guidelines on Broadcast Content and Broadcasters | In addition to these guidelines, Broadcasters will adhere to the Broadcasting Regulations under KICA and CA’s programming code as it details the specific requirements to the management and handling of content obtained from or relating to children. | The guidelines add an extra layer of compliance requirements for Broadcasters. |
| 4. | Specific Guidelines for Application Service Providers (ASPs) and Content Service Providers (CSPs) | 1. In addition to these guidelines, ASPs and CSPs must package their products and services to third parties in line with these guidelines. 2. ISPS and ASPs shall embed the organisational and technical measures to third party agreements that should include mechanisms to address incidents and actions to be taken upon breach of the agreement. | It is expected that all communication servicesoffered by the customers of ISPs and ASPs, especially where children may access these services will adhere to these guidelines. Such customers include Content Providers, Online Retailers, App Developers, interactive and social media service providers, Cybercafes, Public Wi-Fi, schools etc. |
| 5. | Specific Guidelines for Mobile Operators | In addition to these guidelines, in the development of age-verification mechanism, mobile operators should ensure that: 1. All SIM cards that are to be used by children are registered in line with the KICA provisions and the Registration of SIM cards Regulations. 2. Mobile phone subscribers/customers are informed of the need to appropriately register their sim cards and declare the intended subscribers/customers of the SIM cards. 3. The technical measures deployed on services offered to children should also be availed to those targeted for use by adults. | SIM cards for children will now have to be registered under the child’s name and details. |
| 6. | Specific Guidelines for Hardware Manufacturers, Communication Devices and Equipment Vendors | 1. Incorporate information on how a subscriber/customer should activate built-in technical mechanisms that can be leveraged to facilitate a safer internet experience in device manuals. 2. Activate heightened default security prior to them being sold or made accessible to customers, especially for devices that children would use. |