The ICO’s Age Appropriate Design Code, otherwise known as the Children’s Code, comes into force on 2 September 2020 and businesses have got 12 months to make sure their website or app complies. According to the ICO, one in five internet users in the UK are children, and put simply, the Code aims to make sure that websites and apps are designed in a way that protects their privacy and safety.
To give you a headstart during the 12 month transition period, we take a look below at whether your website or app falls within the scope of the Code and, if so, what measures you’ll need to put in place.
What is the Age Appropriate Design Code?
The Age Appropriate Design Code is a statutory code of practice setting out 15 standards for safeguarding children’s data, which businesses should take into account when designing a relevant online service.
It’s not new law, but it explains how data protection law applies when children use online services and the ICO must take it into account when considering whether a business has breached its data protection obligations under the GDPR. Failure to comply with data protection law can lead to significant fines and reputational damage.
Does my website or app need to comply with the Code?
The Code applies to information society services which are likely to be accessed by children. Let’s break it down…
- Do you provide an online product or service for remuneration (eg you’re an online retailer or you run an app)?
- Do you process personal data on your website or app?
- Is your website or app likely to be accessed by children (under-18s) in the UK (ie is it either specifically aimed at children or are they likely to use it)? To answer this question you’ll need to think about how much your website or app is likely to appeal to children, provided it’s not an inappropriate service for them.
If you answered yes to all of these questions, then the Children’s Code probably applies to your website or app.
What do I need to do to comply with the Code?
The Children’s Code is made up of 15 flexible standards and you’ll need to think about all of them to make sure you’re properly safeguarding children’s personal data. Here are some tips to get you started:
🔍Carry out a data protection impact assessment
If your online service is likely to be accessed by children, in practice you’ll always need to do a DPIA. For the purposes of the Age Appropriate Design Code, you’ll either need to carry out a new DPIA or review your current one to assess and record how you comply with the Code at each stage. You’ll need to consider things like:
- the age range of the children who likely to use your service and what you’ll do with their personal data;
- the potential benefits for the children and the commercial interests for your business;
- whether you need to consult with both children and parents; and
- what the broader risks of your data processing might be for children’s welfare and wellbeing.
You should keep your DPIA under review and make sure its outcomes feed into the development and design of your service. For guidance on how to carry out a data protection impact assessment, see our Q&A on Data protection impact assessments.
👶Act in the best interests of children
The Code requires you to put the best interests of children at the forefront of your mind when you’re designing and developing your online service. You’ll need to consider how old the children likely to use your website or app are, and how can you support their needs when you’re processing their personal data, eg how can you protect them from the risk of exploitation and support their wellbeing and development?
🔒Set high privacy settings by default
This means geolocation options, optional uses of personal data and options which use profiling should all be switched off by default, and data sharing should be limited. You should also avoid using nudge techniques to encourage children to turn off the default high privacy settings.
📢Make sure children can understand your privacy information
It’s really important that children who use your website or app get given privacy information in a way they can understand. Examples include:
- making sure it’s provided in a prominent place on your website and using child-friendly techniques (eg using pictures, symbols or interactive content);
- providing bite-size explanations at appropriate times;
- suggesting they check with an adult before continuing; and
- providing age appropriate information about parental controls if they’re used.
🔧Provide appropriate tools to help children exercise their privacy rights
Children just like anyone else have certain rights over their personal data and you should make sure they know about them and help them to understand how to exercise them. Steps you could take include:
- providing tools in an accessible and prominent place on your website or app;
- ensuring the tools are age appropriate (eg using icons, video or audio prompts);
- providing different tools for different rights; and
- making it easy for children to track the progress of their data request and to get in touch with you (eg to tell you their request is urgent).
For more guidance about the Age Appropriate Design Code and steps your business should take to comply, see our Q&A on Privacy and children.