For those tasked with thinking about data privacy (and few can entirely escape that responsibility now), continued developments in law and best practice present an ongoing challenge. Anyone thinking that the 25 May 2018 would bring with it certainty, as well as the GDPR, will have been disappointed.
Further protection for children's data
Across Europe, Member States and their regulators continue to develop new legislation, codes of practice and recommendations, and the UK is no exception. The Data Protection Act 2018 (DPA18) requires the UK's Information Commissioner to prepare a number of Codes of Practice to assist with specific types of data processing. S.121 requires the ICO to prepare a Code of Practice on standards of age appropriate design of relevant information society services which are likely to be accessed by children. The ICO published its draft Age Appropriate Design Code for consultation in May 2019. The consultation closed on 31 may 2019 and the regulator is now reviewing the draft code in light of the responses received. Once finalised the draft Code will be laid before Parliament for approval by 23 November 2019. There will be a grace period of up to one year after it comes into force.
The Code contains 16 interconnecting provisions that set out the requirements online services must meet to make their services suitable for children. Topics range from data minimisation to connected toys. When in force, the Code will sit alongside the DPA18 to provide structure to site operators' data privacy compliance efforts as well as standards for the regulator to consider when determining the fairness or otherwise of processing activities.
How was the Code developed?
The Code owes its existence in large part to a number of campaigners who insisted upon amendments to the DPA18 as it was going through Parliament. 5Rights, one of the most prominent groups, described the Code as "a new deal between children and the tech sector" adding "It will redress the balance between the needs and safety of children and the commercial interests of online services". To see a campaigning group welcome the work of a regulator so warmly and without hesitation could be viewed as an ominous indication of the amount of work it will take site operators to comply with the new requirements.
In developing the draft Code the ICO was required to consult with relevant organisations as well as parents and children and to consider the UK's obligations as a signatory to the United Nations Convention on the Rights of the Child.
What does the Code do?
The draft Code contains guidance on standards of age-appropriate design for information society services likely to be accessed by children not just sites actively targeting children. This will prove challenging for many site operators since Information society services of various sorts can be found across a large number of sites, apps and portals covering a huge swathe of online activity.
The ICO has further determined that the Code will apply to users under the age of 18 whereas the GDPR tends to focus on under-16s, particularly in relation to digital consent. This will pose particular difficulties for operators whose services do not target children but may be accessed by individuals of all ages. They will need to work out what age range to pitch not only the policies and privacy notices but also the design and functionality of a whole site which may lead to many risking non-compliance or otherwise aiming to meet the needs of the youngest possible user.
Potential compliance issues
The draft Code is subject to change but pitfalls to watch out for will include: