Countdown: compliance must be achieved by 2nd September 2021
The Age Appropriate Design Code (also known as the Children’s Code) came into force on 2nd September 2020. The Children’s Code is a statutory code of practice designed and developed by the Information Commissioner’s Office (ICO) and applies to all organisations providing online services and products likely to be accessed by children under the age of 18.
At the time of implementation, the ICO introduced a 12-month transition period for organisations to make the necessary changes to ensure that the 15 standards (set out below) are incorporated into their design, development and upgrade processes. Organisations must be fully compliant with the Children’s Code by 2nd September 2021.
What is the Children’s Code?
The Children’s Code is a statutory code of practice and introduces 15 standards that must be incorporated into the design/upgrade process and development of children’s online services and products.
With a focus on providing default settings that ensure that children have the best possible access to online services whilst minimising data collection, the Children’s Code sets a standard for the appropriate protection of children’s personal data.
The full text of the Children’s Code can be found here
What are the 15 new standards?
- Best interests of the child: The best interests of the child should be a primary consideration for the design and development of online services likely to be accessed by a child.
- Data protection impact assessments (DPIA): A DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access the service must be undertaken.
- Age-appropriate application: A risk-based approach must be taken to recognising the age of individual users and applying the relevant standards of the Children’s Code. This can be achieved by either establishing age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from the data processing or by applying the standards of the Children’s Code to all users.
- Transparency: The privacy information provided to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child.
- Detrimental use of data: Children’s personal data should not be used in ways that have been shown to be detrimental to their wellbeing or go against industry codes of practice, regulatory provisions, or Government advice.
- Default settings: Settings must be ‘high privacy’ by default (unless it can be demonstrated that there is a compelling reason for a different default setting, taking account of the best interests of the child).
- Policies and community standards: Terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies) must be upheld.
- Data minimisation: Only the minimum amount of personal data should be collected and retained to provide the elements of the service in which a child is actively and knowingly engaged. Children should be given separate choices over which elements they wish to activate.
- Data sharing: Children’s data should not be disclosed unless it can be demonstrated that there is a compelling reason to do so, taking account of the best interests of the child. This is in addition to the existing safeguarding for children’s data which exists under data protection legislation (including GDPR).
- Geolocation: Geolocation options should be switched off by default (unless it can be demonstrated that there is a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). An obvious sign should be provided to children when location tracking is active.
- Parental controls: If parental controls are provided, child age-appropriate information should be given about this. If an online service allows a parent or carer to monitor their child’s online activity or track their location, an obvious sign to the child should be given when they are being monitored.
- Profiling: Options that use profiling should be switched off by default (unless it can be demonstrated that there is a compelling reason for profiling to be on by default, taking account of the best interests of the child). Profiling should only be permitted if appropriate measures are put in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
- Nudge techniques: Nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections should not be used.
- Connected toys and devices: If a connected toy or device is provided, it should include effective tools to enable conformance to the Children’s Code.
- Online tools: Prominent and accessible tools should be provided to help children exercise their data protection rights and report concerns.
What online services and products does the Children’s Code apply to?
The application of the Children’s Code is very broad: it applies to all online services and products likely to be accessed by children under the age of 18. It is important therefore that organisations identify whether their online services and products are likely to be accessed by children – not that the products or services were intended to be used by children.
ICO Children’s Code Hub
The ICO has launched the Children’s Code Hub, which provides organisations with additional help and support to aid compliance with the Children’s Code.
What are the next steps for organisations that provide online services and products that are likely to be accessed by children?
The Children’s Code seeks to provide much needed online safeguarding for children’s data in an ever-increasing digital world.
The ICO is committed to monitoring conformance to the Children’s Code through pro-actively auditing and investigating any complaints against organisations. Where organisations are found to be in breach, the ICO is able to take enforcement action by issuing warnings, reprimands, stop orders and fines.
Organisations that may be caught by the legislation will need to be fully compliant with the Children’s Code by 2nd September 2021 and should review their existing processes. Ensuring that effective and proportionate mechanisms and tools are in place will prove vital in ensuring regulatory compliance within this rapidly developing area of law.
Here to help
Our specialist team of Commercial solicitors will continue to monitor regulatory guidance and any updates from the ICO and their recommended course of action. Should you wish to discuss the contents of this update and the potential impact this may have upon your business; please do not hesitate to get in touch on 0161 941 4000 or email the Commercial Team.