ICO Code of Practice to protect children’s privacy is laid before Parliament

The Age Appropriate Design Code (the “Code”), developed by the Information Commissioner's Office (ICO), has been laid before Parliament and may be read alongside an explanatory memorandum published by the Department of Digital, Culture, Media and Sport. This marks the end of a long period of consultation by the ICO, culminating in the publication of the final version of the Code in January.

The Code originates from an obligation placed on the ICO as detailed in section 123(1) of the Data Protection Act 2018 and sets out 15 standards expected of online service providers who process personal data, in order to ensure that the privacy of children is protected.

What does the code say?

Taking a proportionate and risk-based approach, the Code sets out the standards expected of those responsible for designing, developing or providing online services and will, amongst other things, require organisations to:

  • automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website;
  • ensure privacy settings are set to high by default;
  • ensure children are not encouraged to weaken privacy settings through “nudge” techniques;
  • switch location settings off by default;
  • minimise data collection; and
  • ensure profiling, which can allow children to be subjected to targeted content, be turned off by default.
Who does the code apply to?

The Code applies to "relevant information society services which are likely to be accessed by children" in the UK. As children frequently access the same online services as adults, this means that a wide range of service providers will be affected. From those providing apps, online games, or social media platforms to streaming services and connected toys and devices, the Code should be considered carefully to ensure that organisations are appropriately safeguarding and processing the personal data of children. The Code also covers a broad range of websites including news or educational websites and websites offering other goods or services to users.

Digital news and media

Amid concerns during consultation around protecting the fundamental right to freedom of expression and other issues specifically affecting the digital news industry, the ICO has developed a set of FAQs in conjunction with the News Media Association.

The FAQs acknowledge that while these services frequently process children’s personal data to provide personalised news and advertising feeds and often share data with third parties, they “are not a core concern for children online” and accordingly the Code can be applied in a risk-based and proportionate way to reflect this. In particular, the FAQs confirm that news media will not necessarily require to formally age-verify their digital content to allow users to access news content.

The FAQs further stress that organisations already complying with their obligations under existing legislation, specifically the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) will be considered relatively low risk under the Code.

What happens now?

The Code provides a 12-month transition period for online services to comply. In the meantime the ICO is developing a package of support for industry in order to aid compliance with the Code.

The ICO is also producing an economic impact assessment of the Code to inform the ICO’s support for businesses during the transition period and this assessment is due to be finished before the Code has completed its parliamentary passage.

Ultimately, the purpose of the Code is to support compliance with the general principles of the GDPR, and to provide practical guidance about how to appropriately safeguard children’s personal data. If organisations do not have sufficient protections in place for children, they will have to make changes to ensure they comply with the GDPR and the Code. With this in mind, organisations may wish to begin looking at their own data processing practices sooner rather than later, to ensure a smooth transition.

Latest updates from @MacRoberts