The ICO’s Age Appropriate Design Code (or rather, it’s snapper title “the Children’s Code”) came into force on 2 September 2020 with a 12-month transition period. In this article we set out;
- An overview of the requirements.
- Our advice on whether your organisation needs to comply.
What is the Children’s Code?
The Children’s Code is a statutory code that was laid before Parliament under section 125(1)(b) of the Data Protection Act 2018. This means that if you are caught by the Code, you have a legal duty to comply with it and you must conform by 2 September 2021.
In essence, the ICOs Childrens Code has been created to safeguard children when they engage with online services. It sets out standards that organisations need to follow to promote safer environments for children to explore, learn and play online. It also seeks to regulate the “datafication” of children.
When does it apply?
The Children’s Code applies to “information society services likely to be accessed by children” in the UK.
“Information society service” is defined as:
“any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”.
The definition is broad and covers most online services. Examples of online services are:
- Many websites (e.g. search engines, social media platforms, news or educational websites and websites offering other goods or services)
- Connected toys and devices
- Online games
- Streaming services
You will still be caught by the Code even if you are not aiming your services directly to children; the Code will apply if your service is likely to be accessed by children.
This flowchart will be useful in helping you understand if your services are covered by the Code.
For the purposes of the Code, a child is anyone under the age of 18. This means it potentially has a broader reach than the UK GDPR/DPA 2018 where the age of a child is set at 13 for the purpose of obtaining their consent for engagement with information society services. As well as complying with the Code for all children under the age of 18 that have access to or are likely to have access to your services, if you are relying on consent as your legal basis, you will also need parental consent for children under 13.
Throughout the Code there are references to the developmental age ranges of children that are cross-referenced to ICO recommendations (and here in this annex). This will be particularly helpful for organisations in taking risk-based approaches to implementation of the Code.
Does it apply outside of the UK?
As the ICOs Childrens Code has been issued under the Data Protection Act 2018 is applies to online services based in the UK. It also applies if your organisation:
- Has a branch, office or other “establishment” in the UK but the online services are based outside the UK.
- Does not have a branch, office or other “establishment” in the UK but offers services to users in the UK or monitors the behaviours of UK users.
What are the standards?
There are 15 standards in the ICOs Childrens Code and they require an organisation to take a risk-based approach. The standards are:
1. Best interests of the child
This concept derives from Article 3 of the United Nations Convention on the Rights of the Child (UNCRC). The UNCRC is a framework that balances different interests and concerns regarding children against the intention of providing whatever is best for each individual child. To comply, you need to consider the needs of child users and ensure you design your online services to support those needs.
2. Data protection impact assessment
A DPIA is required if children are likely to access your online services. A DPIA will help you adopt a design and default approach, baking good data protection practices into your design, and enabling you to identify and minimise data protection risks from the outset.
3. Age-appropriate application
This standard is about putting the different needs of children at various age ranges and stages of development at the heart of your service to ensure that any services likely to be accessed by children are appropriate.
The privacy information you provide to children must be age appropriate. This means using concise and clear language suited to the age of the child likely to access your service.
5. Detrimental use of data
You should not use children’s data in any way that is detrimental to their physical or mental health and wellbeing, or goes against industry codes of practice, other regulations, or Governance advice.
6. Policies and community standards
Users of your services should expect for them to operate as you say they will; this means if your organisation publishes T&Cs and policies, this standard requires you to adhere to them.
7. Default settings
Default privacy settings must be set at “high privacy” unless you can demonstrate a compelling reason not to.
8. Data minimisation
You should only collect and retain the minimum amount of personal data you need to provide individual elements of your service. Children should also be given as much choice as possible over the elements they want to use as this will also enable them to choose the amount of personal data they provide you with.
9. Data sharing
Unless you can demonstrate a compelling reason to do so you should not disclose children’s data to third parties outside of your organisation.
Geolocation options should be switched off by default unless you can demonstrate a compelling reason for them to be turned on by default. When location tracking is active, you must provide an obvious sign for children to let them know. Geolocation includes GPS data or data about connection with local Wi-Fi equipment.
11. Parental controls
If you provide parental controls, you should make it clear to children if parental controls are in place, and if they are being tracked or monitored by a parent or guardian.
If your service can profile children those settings should be switched off by default unless you can demonstrate a compelling reason for them to be switched on by default.
13. Nudge techniques
You should not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections. You may wish to consider nudging children towards materials and resources, for example, that support their health and wellbeing.
14. Connected toys and devices
Toys and devices that can be connected to the internet require effective tools to enable conformance with the Code. For example, being able to anticipate and provide for multi-user ages across a range of ages.
15. Online tools
Children should be able to exercise their data protection rights and report concerns. You will need to provide prominent and accessible tools to help them do so. These tools should be tailored to age groups and explain clearly what they are designed to do; for example, labelling a button “download all my data”, rather than “make a subject access request”.
It applies to us – what next?
First you will probably need to make sure that you understand the age range of children that may be accessing your services. This is important because it will enable you to (a) tailor accessibility and content and (b) consider the recommendations set out in the Code for those age ranges.
If the service has yet to start, you will then want to carry out a DPIA. If the service has started, you may want to consider conducting an audit against the Code’s standards.
The results of your DPIA/audit will likely throw up some remedial works or actions that need to be taken, and you will need to ensure these are completed by 2 September. You should keep records for audit trail purposes.
If you consider the Code does not apply to your organisation, we advise that you document your rationale for that view.
Need more information?
Get in touch now if you need more detailed advice and support on implementation of the ICOs Childrens Code across your online services. You can also find more information on the ICO’s hub (found here).