ICO's Age Appropriate Design Code comes into force

On 02 September 2020, the Information Commissioner's Office's (the "ICO") Age Appropriate Design Code (the "Code") came into force. There is a 12 month transition period, meaning companies have until 02 September 2021 to comply with the code.

The aim of the Code is to support compliance with the Data Protection Act 2018 and general principles of the General Data Protection Regulation (the "GDPR") to ensure online services appropriately safeguard children's personal data. The Code does this by setting out specific protections to be built into online services likely to be accessed by children.

The ICO ran a public consultation on the Code between 15 April and 31 May 2019 and received more than 446 written responses to the consultation which were considered to inform the final draft of the Code. Alongside this, the ICO commissioned research to understand the views of children and their parents on the Code

Who does the code apply to?

The Code will apply to "relevant information society services which are likely to be accessed by children" in the UK. This includes many apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet. The code is risk based, which means it does not apply to all organisations in the same way.

An information society service is defined under the GDPR and most organisations  will already be aware if they fall under this definition. An explanation of the definition can be found on the ICO website here. The key issue for organisations will be  determining whether the service is likely to be accessed by children or not. This is likely to depend on:

• the nature and content of the service and whether that has particular appeal for children; and

• the way in which the service is accessed and whether any measures have been put in place to prevent children gaining access.

The ICO has recommended organisations take a common sense approach to this question. For example, if the service provided is adult in nature, the focus is on preventing children gaining access to the site as opposed to making the site suitable for children.

If the service sits in a middle ground, and is not aimed at children but is not inappropriate for them to use either, then the organisation  should focus on assessing how appealing the service will be to children. If a reasonable assessment would lead the organisation  to believe children will use the service, then it  will need to comply with the code. If the service is already live, then current usage statistics may be relevant for any assessment.

15 Standards

The code sets out 15 standards of age appropriate design, each reflecting a risk-based approach. The code will require digital service providers to automatically provide children with a built-in baseline of data protection whenever they download a new app or game, or visit a website. The Code seeks to protect children within the digital world, not protect them from it. The focus is on providing default settings which ensure that children have the best possible access to online services whilst minimising data collection and use by default. It also ensures that children who choose to change their default settings get the right information, guidance and advice before they do so, and proper protection in relation to  how their data is used afterwards.

The 15 standards are:

1. Best interests of the child: The best interests of the child should be a primary consideration when designing and developing online services likely to be accessed by a child.

2. Data protection impact assessments ("DPIA"): Undertake a DPIA to assess and mitigate risks (which arise from your data processing) to the rights and freedoms of children who are likely to access your service. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code.

3. Age appropriate application: Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.

4. Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific 'bite-sized' explanations about how you use personal data at the point that use is activated.

5. Detrimental use of data: Do not use children's personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.

6. Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).

7. Default settings: Settings must be 'high privacy' by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).

8. Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.

9. Data sharing: Do not disclose children's data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.

10. Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). Provide an obvious sign for children when location tracking is active. Options which make a child's location visible to others must default back to 'off' at the end of each session.

11. Parental controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child's online activity or track their location, provide an obvious sign to the child when they are being monitored.

12. Profiling: Switch options which use profiling 'off' by default (unless you can demonstrate a compelling reason for profiling to be 'on' by default, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).

13. Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.

14. Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable conformance to this code.

15. Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.

The ICO claims the Code "is the first of its kind, but it reflects the global direction of travel". Currently, in the EU, only Ireland is consulting on similar guidance. The Irish Data Protection Commission ("DPC") ran a public consultation on the processing of children's personal data and the rights of children as data subjects under the GDPR from December 2018 to May 2019. The consultation is an effort to promote an understanding of the rights and risks surrounding the processing of personal data relating to children. These guidelines have not yet been published.

Next steps

Organisations should review the ICO's Children's Code Hub and consider if the code will apply to them. If so, each organisation should review the code and start making the necessary changes.