ICO’s Age-appropriate Design Code – 2 months to comply

With just over two months left until the ICO’s (Information Commissioner’s Office) Age-appropriate Design Code comes into force, this blog gives you a round-up of who needs to comply, and what complying means for you.

The Code came into force on the 2nd of September 2020, however, a twelve-month transition period was enacted, allowing organisations time to get their ducks in a row before the 2nd of September this year when the Code becomes enforceable. This transition period is quickly running out, so if your organisation has yet to determine whether it applies to you, or failed to do anything if it does, take this as your final warning!

What is the Code?

The Age-appropriate Design Code is the product of the ICO’s work as prescribed under section 123 of the Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998). (DPA). The statutory requirement to create a code of practice on age-appropriate design was included within the DPA due to increasing concerns that children need safeguarding when using online services. In a survey conducted by the ICOThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc., children’s privacy was ranked the second-highest data protection concern behind cybersecurity. Considering that 1 in 5 Internet users are children and their use of the web is only set to increase over time, it is essential that we make the web a safe space for them.

In her foreword to the Code, the Information Commissioner, Elizabeth Denham, states that “For all the benefits the digital economy can offer children, we are not currently creating a safe space for them to learn, explore and play. This statutory code of practice looks to change that, not by seeking to protect children from the digital world, but by protecting them within it.”

The code is made up of 15 ‘Standards of age-appropriate design’ which, when followed, will demonstrate that organisations are complying with their data protection obligations and indicate to their users (and parents of users) that they handle children’s personal dataInformation which relates to an identified or identifiable natural person. responsibly and take children’s privacy seriously.

Who does it apply to? 

Section 123 of the DPA 2018 states that the Code applies to “relevant information society services which are likely to be accessed by children.” Now, we definitely need to break this one down.

Information society services (ISS)

“any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”

• “for remuneration” – remuneration doesn’t have to come from the end-user, it could be funded via advertising. It also does not exclude not-for-profit services, if they can be considered ‘economic activity’ more generally
• “at a distance” – the service is provided without the parties being simultaneously present

This is therefore a wide definition that will cover most online services, including websites where products are sold online; apps; games; social media platforms; and search engines.

Relevant ISS

If your online service falls under the following categories, it will not be considered relevant:

• Services provided by public authorities that are not typically provided on a commercial basis
• Websites that just provide information about a business or service (that do not support online sales)
• Telephone services
• General broadcast services
• Preventative or counselling services

Likely to be accessed by children in the UK

The service does not have to be specifically aimed at children (under-18s) for the Code to apply. If whilst not specifically aimed at them, children do in reality access your service, you will have to comply with the Code.

The ICO states that the likelihood of children accessing your site must be more probable than not. They suggest that when considering whether your service is likely to be accessed by children in the UK, you should consider:

1. Whether the nature and content of your service has a particular appeal to children; and
2. How your service is accessed and any measures that are in place to prevent children from gaining access

What are the 15 standards?

1. Best interests of the child – the best interests of the child should be a primary consideration when designing and developing online services
2. Data protection impact assessments (DPIAs) – DPIAs should be used to consider how the data processing related to the online service will impact children’s rights and freedoms and how this risk can be mitigated
3. Age-appropriate application – appropriate steps should be taken to determine the age of online service users, or make sure the whole service complies with this Code
4. Transparency – any privacy information provided should be in child-friendly language
5. Detrimental use of data – children’s personal data should not be used in any way that is detrimental to their wellbeing
6. Policies and community standards – online services must uphold and enforce their own published terms, policies, codes of conduct and community standards
7. Default settings – settings should be ‘high privacy’ by default
8. Data minimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing. – only the minimum amount of personal data necessary to run the service should be collected from children
9. Data sharing – children’s data should only be shared where there is a compelling reason for doing so
10. Geolocation – geolocation data collection should be switched off by default and reset to this at the end of each use. Where location tracking is active, this should be made obvious to the user
11. Parental controls – if parental controls or parental tracking is in use on the service, this should be made obvious to the child using the service
12. Profiling – All options which use profiling should be switched off by default. Profiling should only be used where measures are in place to prevent the child from experiencing any harmful effects
13. Nudge techniques – Nudge techniques must not be used to persuade or encourage children to provide extra personal data, or make their privacy settings less tight
14. Connected toys and devices – any connected toys or devices should also conform with the Code
15. Online tools – Online tools to help children exercise their data protection rights and report concerns should be easily accessible to users

What do organisations have to do? 

Organisations must demonstrate how they are complying with each of the 15 standards but how they do so will depend upon a variety of factors. The ICO highlights that the above 15 points are not meant to be prescriptive technical standards, with clear actions that every organisation must take. Instead, organisations must take a proportionate and risk-based approach to compliance. This means that what the ICO expects of each organisation will depend upon organisation size and resources available, the service or product offered and the associated risks and the amount and type of personal data processed.

It is important to remember that complying with the Code will help you to comply with your other data protection obligations as set out in the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. and PECR. It is not a completely separate requirement that imposes wholly new obligations on your organisation, it simply asks you to focus on how your service impacts the needs and rights of child users specifically.

Enforcement

The ICO will be overseeing compliance with the Code, along with other data protection laws. They have stated that their “approach is to encourage conformance” rather than punish non-conformance, however, as the code is set out in law, they have a statutory duty to take it into account when enforcing the GDPR and PECR.

Furthermore, they have stated that children’s privacy is “a significant factor weighing in the balance when considering the type of regulatory action” that will be taken, suggesting that enforcement is likely to be more severe than for other types of non-compliance. As such, if the Code does apply to you, it may benefit both your reputation and bank balance to ensure that you are complying.

If you would like advice on how to comply with the Age-appropriate Design Code, or answers to any other data protection related questions you may have, please contact us below.