The Information Commissioner’s Office (ICO) considers that the code is the first of its kind globally, and is based on the United Nations Convention on the Rights of the Child which recognises age-specific safeguards for minors.
It is clear that the Code is intended to instigate significant change, with the Information Commissioner saying that 'A generation from now we will all be astonished that there was ever a time when there wasn’t specific regulation to protect kids online. It will be as normal as putting on a seatbelt'.
The next 12 months may therefore require some organisations to undertake rigorous reviews of their data protection practices as they seek to comply with the Code.
What is the Age Appropriate Design Code?
The Code is a statutory code of practice under the Data Protection Act 2018, which recognises that children’s data should be given special treatment. The ICO has repeatedly emphasised that children’s data is a regulatory focus point and so the introduction of the Code is not unexpected.
The Code sets out 15 standards which aim to ensure that children (meaning anyone under the age of 18) have an automatic minimum level of protection in the digital world. As children are treated differently from adults in the physical world (e.g. age-specific film ratings), a comparable level of protection should be offered to children in the digital world. Online services utilise a broad range of data, such as who is using the service, how frequently and where from, which can then be used to deliver targeted adverts and content to the child user.
The Code therefore requires that providers of online services protect children’s rights and freedoms by taking practical measures such as:
- allocating privacy settings that are high by default;
- switching off geo-location services that reveal a child’s location; and
- not using nudge techniques and notifications to encourage children to provide more personal data.
Who must comply?
Anyone that designs or develops online services in the UK will need to consider their compliance with the Code.
The Code’s remit is broad and captures any service that is likely to be used by someone under the age of 18. This include for example, apps, online games, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites that offer goods or services over the internet.
Practical steps to comply
- Assess whether the services your company offers fall under the remit of the Code. Organisations that fall under the remit of the Code must now use the next 12 months to review current practices and make any required changes. If you decide that the Code does not apply, you must document the reasons for this decision.
- Complete a data protection impact assessment. The ICO provides a dedicated DPIA template here. It is important to document your compliance and decision-making at each stage.
- Review new and existing services to ensure they reflect the Code’s guidelines, including default privacy settings, just in time notices, profiling etc.
- Review new and existing age verification mechanisms to ensure they are robust.
- Review the information and resources available to children using your services and consider whether these need amending to ensure they are appropriate to each age group.
- Review tools and mechanisms available to children to allow them to exercise their data subject rights.
The ICO has set up a Children’s Code hub to assist companies in preparing for compliance with the Code before the end of the transition period in September 2021.