With just over two months left until the ICO’s (Information Commissioner’s Office) Age-appropriate Design Code comes into force, this blog gives you a round-up of who needs to comply, and what complying means for you.
The Code came into force on the 2nd of September 2020, however, a twelve-month transition period was enacted, allowing organisations time to get their ducks in a row before the 2nd of September this year when the Code becomes enforceable. This transition period is quickly running out, so if your organisation has yet to determine whether it applies to you, or failed to do anything if it does, take this as your final warning!
What is the Code?
The Age-appropriate Design Code is the product of the ICO’s work as prescribed under section 123 of the Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998). (DPA). The statutory requirement to create a code of practice on age-appropriate design was included within the DPA due to increasing concerns that children need safeguarding when using online services. In a survey conducted by the ICOThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc., children’s privacy was ranked the second-highest data protection concern behind cybersecurity. Considering that 1 in 5 Internet users are children and their use of the web is only set to increase over time, it is essential that we make the web a safe space for them.
In her foreword to the Code, the Information Commissioner, Elizabeth Denham, states that “For all the benefits the digital economy can offer children, we are not currently creating a safe space for them to learn, explore and play. This statutory code of practice looks to change that, not by seeking to protect children from the digital world, but by protecting them within it.”
The code is made up of 15 ‘Standards of age-appropriate design’ which, when followed, will demonstrate that organisations are complying with their data protection obligations and indicate to their users (and parents of users) that they handle children’s personal dataInformation which relates to an identified or identifiable natural person. responsibly and take children’s privacy seriously.
Who does it apply to?
Section 123 of the DPA 2018 states that the Code applies to “relevant information society services which are likely to be accessed by children.” Now, we definitely need to break this one down.
Information society services (ISS)
“any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”
This is therefore a wide definition that will cover most online services, including websites where products are sold online; apps; games; social media platforms; and search engines.
If your online service falls under the following categories, it will not be considered relevant:
Likely to be accessed by children in the UK
The service does not have to be specifically aimed at children (under-18s) for the Code to apply. If whilst not specifically aimed at them, children do in reality access your service, you will have to comply with the Code.
The ICO states that the likelihood of children accessing your site must be more probable than not. They suggest that when considering whether your service is likely to be accessed by children in the UK, you should consider:
What are the 15 standards?
What do organisations have to do?
Organisations must demonstrate how they are complying with each of the 15 standards but how they do so will depend upon a variety of factors. The ICO highlights that the above 15 points are not meant to be prescriptive technical standards, with clear actions that every organisation must take. Instead, organisations must take a proportionate and risk-based approach to compliance. This means that what the ICO expects of each organisation will depend upon organisation size and resources available, the service or product offered and the associated risks and the amount and type of personal data processed.
It is important to remember that complying with the Code will help you to comply with your other data protection obligations as set out in the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. and PECR. It is not a completely separate requirement that imposes wholly new obligations on your organisation, it simply asks you to focus on how your service impacts the needs and rights of child users specifically.
The ICO will be overseeing compliance with the Code, along with other data protection laws. They have stated that their “approach is to encourage conformance” rather than punish non-conformance, however, as the code is set out in law, they have a statutory duty to take it into account when enforcing the GDPR and PECR.
Furthermore, they have stated that children’s privacy is “a significant factor weighing in the balance when considering the type of regulatory action” that will be taken, suggesting that enforcement is likely to be more severe than for other types of non-compliance. As such, if the Code does apply to you, it may benefit both your reputation and bank balance to ensure that you are complying.
If you would like advice on how to comply with the Age-appropriate Design Code, or answers to any other data protection related questions you may have, please contact us below.
Fill in your details below and we’ll get back to you as soon as possible