On 2 September 2020, the ICO (Information Commissioners Office)’s new Age Appropriate Design Code came into force, with a 12 month transition period for businesses to comply. The Code applies to certain online services which are likely to be accessed by children, and sets out standards for safeguarding children’s privacy online that they must adhere to.
As the deadline for compliance approaches, we provide a refresher on which businesses are caught by the code and what steps they need to take to comply.
What is the Age Appropriate Design Code?
It’s an ICO statutory code of practice setting out 15 standards for safeguarding children’s personal data online. ICO statutory codes of practice provide practical guidance to businesses about how to comply with data protection law. Whilst not new law, the ICO will take codes of practice into account when considering whether a business has breached its data protection obligations.
The Age Appropriate Design Code is not designed to prevent children from accessing online services, but rather to ensure that they are protected when they do. Importantly, in the context of the Code, children are defined as those under the age of 18.
Why has the Age Appropriate Design Code been introduced?
According to the ICO, one in five internet users are children but they are using online services that weren’t designed with their best interests in mind. The Code seeks to safeguard children by ensuring that websites and apps are designed in a way that protects their privacy and safety online.
Who must comply with the Age Appropriate Design Code?
The Code applies to information society services which are likely to be accessed by children.
What’s an information society service?
An information society service is an online product or service provided for remuneration, so most online services (including ecommerce websites, games, apps, online marketplaces, streaming or other content services etc.) are likely to be included. It also includes online services that are free to the user but are funded in other ways (eg through online advertising).
When is my online service likely to be accessed by children?
When considering whether your online service is likely to be accessed by children (ie under-18s), you will need to consider whether it is either specifically aimed at children, or whether it appeals to children, regardless of whether or not it was actually designed to be used by them. Remember that children means anyone under 18 years of age, so even if you think your online service is only likely to be used by 17 year olds, it will still be caught!
You will need to take a common sense and risk-based approach when considering this, and of course it will be relevant if you actively restrict children from accessing your service.
If you decide that the Code doesn’t apply to your online service, make sure you document the reasons for your decision and review your decision regularly, particularly if your service changes.
Where does the Age Appropriate Design Code apply?
The Code applies to all UK-based businesses operating relevant information society services, and non-UK businesses who process the personal data of children in the UK.
How do I comply with the Age Appropriate Design Code?
If your online service falls within the scope of the Code, you’ll need to think about all of its 15 standards to make sure you’re properly safeguarding children’s personal data. You should also make sure key staff in your business are aware of the requirements of the Code and know how to apply these in practice.
Our Q&A on Privacy and Children contains more detailed guidance on the steps you’ll need to take, but here are some tips to get you started:
1. Carry out a Data Protection Impact Assessment (DPIA), or review your current DPIA if you already have one
This is a key component of the Code and it will help you to map out what personal data you collect from children, how it’s being used and identify the associated risks of your processing. Make sure you consider the entire user journey of any children who might use your service, and consider their age ranges, as this will inform what steps you need to take to mitigate any risks identified.
Whenever you develop new online services that might be used by children, make sure you carry out a DPIA during the development stage so that its outcomes can feed into the design and production of your service.
See our Data protection impact assessment policy for a template you can use to create an internal procedure for carrying out DPIAs when required. This includes a schedule on which you can record your DPIA outcome.
2. Consider the best interests of children
The Code requires you to make the best interests of children a primary consideration when you’re designing and developing your online service. You’ll need to consider how old your users are, how you can support their needs, and how you can protect them from the risk of exploitation and detriment.
3. Set high privacy settings for children by default
This means geolocation options, optional uses of personal data and options which use profiling should all be switched off by default, and data sharing should be limited. You should also avoid using nudge techniques to encourage children to change the default settings or to provide additional personal data.
4. Provide age appropriate tools and information
It’s really important to make sure that children who use your online service understand your privacy information. There are a number of steps you could take to ensure this, such as preventing information in a child-friendly way (eg using symbols, pictures or interactive content) and/or providing ‘bite-size’ explanations at the point at which they provide their personal data. You must also ensure that children are aware of what rights they have over their personal data and understand how they can exercise them. For some tips about how to do this, see our Q&A.
5. What happens if I don’t comply with the Code?
The ICO will consider business’s compliance with the Code when considering whether it has breached its data protection obligations. Not only can the ICO issue hefty fines for breaches of data protection law, but non-compliance can damage your business’s reputation.
The ICO has confirmed that when enforcing the Code, it will consider the steps you have taken to comply and the level of risk posed to children by your data processing. It is therefore really important to document the steps that you have taken to ensure that your online service complies with the code, and why.
Before joining Sparqa Legal as a Senior Legal Editor in 2017, Frankie spent five years training and practising as a corporate disputes and investigations lawyer at leading international law firm Hogan Lovells. As legal insights lead, Frankie regularly contributes to Sparqa Legal’s blog, writing content across employment law, data protection, disputes and more.