The ICO has published its final Age Appropriate Design Code of Practice for Online Services, following a public consultation last year.

The code sets out 15 standards applicable to certain online services aimed at or likely to be accessed by children, requiring the “best interests” of the child to be the primary driver of product and service design. 

Who should read this?

  • Anyone that designs or develops online services will need to consider whether the code applies, including services such as apps, connected toys and devices (including any devices which are likely to be used by a child), search engines, social media platforms, streaming services, online games, news or educational websites and websites that offer goods or services over the internet.
  • The code does not just apply to services specifically directed at children. If your service is likely to be used by anyone under the age of 18, the Code will apply.
  • We have summarised below the status of the code, the types of services it applies to, the key practical steps organisations should take and consequences of non-compliance.

What is the status of the Code?

  • The code is a Statutory Code of Practice required to be prepared by the ICO under the Data Protection Act 2018. Once in force, the ICO is required to take the code into account when deciding if an organisation has complied with the General Data Protection Regulation and the Privacy and Electronic Communications (EC Directive) Regulations (PECR).
  • The Code has been published by the ICO and now needs to be approved by Parliament. Once it has been approved, organisations will have 12 months to update their practices before the Code comes into full effect, which the ICO expects to be in autumn 2021.

What does the Code apply to?

The Code applies to “information society services” (e.g. apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites that offer goods or services over the internet) that are:

  • “likely” (i.e. it is more probable than not) to be accessed or used by a child, which for these purposes is anyone under the age of 18; and
  • based in the UK, or based outside of the EEA and are offered to children in the UK or monitor the behaviour of children in the UK.

What does the Code require?

  • The Code includes 15 standards of age appropriate design and applies to new as well as existing services.
  • The primary consideration when developing or designing a service likely to be accessed or used by children is the “best interests of the child”. The other standards set out in the Code cover the following topics: data protection impact assessments, age appropriate application, transparency, detrimental use of data, policies and community standards, default settings, data minimisation, data sharing, geolocation, parental controls, profiling, nudge techniques, connected toys and devices and online tools.
  • We have produced a detailed summary of the key points in the Code, including a summary of each of the standards, which you can read here.  

What practical steps should organisations take?

  • As a starting point, it will be necessary to assess whether the Code applies to your existing services. If you decide the Code does not apply, the ICO expects that organisations document the reasons for this decision.
  • If the Code does apply, the ICO expects organisations to be prepared to demonstrate how they comply with the Code.
  • It will therefore be important to document how you have complied in practice with the requirements of the Code, and be able to provide the ICO with copies of relevant DPIAs, policies, training and records of processing if requested.
  • Some practical steps to prepare include:
    • Updating DPIA templates to include elements demonstrating how the requirements of the Code have been met, as well as conducting/updating DPIA’s on existing services and consulting with children/parents where necessary;
    • Reviewing existing/introducing new age verification mechanisms to your service where necessary;
    • Reviewing/creating new information and resources for child users appropriate for their age;
    • Ensuring age appropriate tools are in place for children to exercise their rights under data protection laws;
    • Reviewing existing services and ensuring design changes are made where necessary in light of the Code, including default privacy settings, profiling, nudge techniques, just in time notices etc.

What are the consequences of non-compliance?

  • If the ICO finds there has been a breach of PECR or the GDPR, it can use its powers to take regulatory enforcement action, and failure to comply with the Code will be taken into account by the ICO when deciding if there has been a breach.
  • The ICO has stated that use of children’s data is one of its regulatory priorities and that complying with the standards set out in the Code is a key measure for demonstrating compliance with data protection laws.
  • The ICO has stated in the Code it is more likely to take formal enforcement action if proper steps have not been taken to comply with the Code and there is clear evidence or constructive knowledge that children are likely to access the service, and clear evidence of a significant risk from the use of children’s data.

Ben advises clients in a wide range of industry sectors, focusing in particular on data protection compliance, including healthcare, financial services, adtech, video games, consumer and business-to-business organisations. Ben regularly assists clients with global data protection compliance projects and assessments as well as specific data protection challenges such as international transfers and data security breaches. Ben is also regularly involved in drafting and negotiating data protection clauses in agreements for various clients in a wide range of industry sectors. Ben also regularly advises clients on electronic direct marketing and cookies.