The twelve month transition period for the Age Appropriate Design Code, also known as the Children’s Code, developed by the ICO has now concluded. This means that the Code took effect on 2nd September 2021 and all organisations affected by the Code must comply with its requirements.
The Code sets out 15 standards expected of online service providers that process personal data, in order to ensure that the privacy of children is protected. The Code is the first of its kind and aims to create a better internet for children by ensuring online services likely to be accessed by children, respect a child’s rights and freedoms when using their personal data.
What does the Code say?
Taking a proportionate and risk-based approach, the Code sets out the standards expected of those responsible for designing, developing or providing online services and, amongst other things, requires organisations to:
- automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website;
- ensure privacy settings are set to high by default;
- ensure children are not encouraged to weaken privacy settings through “nudge” techniques;
- switch location settings off by default;
- minimise data collection; and
- ensure profiling, which can allow children to be subjected to targeted content, be turned off by default.
The Code identifies social media platforms, video and music streaming sites and video gaming platforms as some of the biggest risk areas and provides a number of recommendations to avoid inappropriate use of children’s personal data in these settings. The key aim of the Code is to ensure that organisations processing children’s personal data have the children’s best interest as a primary concern. The key concern for the ICO is the variety of harms that could be caused as a consequence of the use of this type of data.
Who does the Code apply to?
The Code applies to "relevant information society services which are likely to be accessed by children" in the UK. As children frequently access the same online services as adults, this means that a wide range of service providers will be affected. From those providing apps, online games, or social media platforms to streaming services and connected toys and devices, the Code should be considered carefully to ensure that organisations are appropriately safeguarding and processing the personal data of children. The Code also covers a broad range of websites including news or educational websites and websites offering other goods or services to users. It should also be noted that the Code applies to UK-based companies and non-UK companies who process the personal data of UK children.
Whilst the Code is the first of its kind, it reflects the global direction of travel. The USA and Europe are considering similar initiatives. The Organisation for Economic Co-operation and Development (OECD) Recommendation on Children in the Digital Environment was published in May 2021, and the United Nations’ General Comment on Children’s rights in relation to the digital environment has also recently been adopted. The ICO is actively engaging with the Irish Data Protection Commissioner (IDPC) about their Fundamentals for Child-orientated Approach to Data Processing guidance, and with the Federal Trade Commission (FTC), the OECD and other international stakeholders.
Compliance with the Code
Ultimately, the purpose of the Code is to support compliance with the general principles of the UK GDPR, and to provide practical guidance about how to safeguard children’s personal data appropriately. If organisations do not have sufficient protections in place for children or do not follow the Code, they could face enforcement action by the ICO which includes compulsory audits, orders to stop processing and fines of up to 4% of global turnover.
UK GDPR certification scheme criteria
The ICO has also recently approved the first UK GDPR certification scheme criteria. The ICO has approved the criteria for three schemes with the Age Check Certification Scheme (ACCS) having developed criteria for two schemes, the first relating to age assurance and the second looking at children’s online privacy. See ICO Approved Criteria | Children's Code | Age Appropriate Design (accscheme.com).
What is next?
Separately, the ICO is considering how organisations in scope of the Code can manage age assurance, whether that’s verifying ages or age estimation. The ICO will be formally setting out its position on age assurance in the autumn.
This article was co-written by Trainee Solicitor, Clare Tuohy.