Age Appropriate Design Code

The ICO’s Age Appropriate Design Code, which mandates online service providers to take the best interests of their child users into account, came into force on 2 September 2021 following a 12-month transition period.

We know that a lot of organisations, particularly in the retail and digital sectors, are currently grappling with what this means for them.  Here’s what you need to know.

What is the Code?

The Code sets out 15 standards that organisations providing online services need to implement in order protect the data of its child users. Child users, for the purpose of the Code, are users under the age of 18.

The Code takes a risk-based approach. It recommends default settings which seek to optimise children’s access to online services while limiting the collection and use of their data. It also ensures that those who choose to opt-out of these default settings are able to make an informed decision.

Who needs to comply?

The Code covers a range of online services such as apps, games, connected toys and services and news services. However, it is important that all organisations have an awareness of the Code as it is not limited to services that are designed specifically for children. The Code applies more broadly to “information society services likely to be accessed by children”. This means that if it is ‘more probable than not’ that a certain online service will appeal to children the Code will be engaged, whether that service is specifically targeted at those under 18 years old or not.  This is dependent on the nature and content of a service, as well as the way in which the service is accessed.

The Code not only applies to UK companies, but also non-UK companies who process the personal data of UK children.

What does this mean in practice?

The 15 standards established by the Code are summarised on the ICO’s website.   In effect, these standards simply emphasise and provide substance to the steps that organisations should already be taking to ensure that children’s data is processed in safely, fairly and lawfully.   Nonetheless, the Code provides a clear mandate of the ICO’s intentions to be especially proactive when it comes to protecting children’s online privacy rights.  It makes it is more important than ever for organisations offering in-scope services to ensure that they have properly considered and documented their approach to data protection compliance.  Amongst other things, this means:

• undertaking audits to understand and document which of your existing services and products may fall within scope of the Code;
• reviewing and, where required, adapting any in-scope existing services and products to ensure that they meet the required standards, in particular in terms of default privacy, profiling and geolocation settings, any deployed nudge techniques, age appropriate transparency information, and data minimisation;
• mapping any data sharing of children’s data with third parties and ensuring you have a documented compelling reason for doing so (taking into account the best interests of the child);
• focus on embedding age appropriate privacy by design techniques into the design and development of any new online services and products by undertaking thorough data protection impact assessments from conception stage;
• ensuring that relevant internal policies and procedures are updated to reflect the Code and that such standards are monitored and upheld.

Is compliance important?

While failure to comply with the Code is not a breach per se, it makes it difficult for online service providers to demonstrate compliance with UK GDPR more widely. This is turn could invite regulatory action and result in fines of up to £17.5 million or 4% of your annual worldwide turnover (whichever is higher).

In a post-GDPR world, consumers are increasingly aware of their privacy rights and the importance of protecting the online welfare of children.  Although the Code is the first of its kind, it will not be the last, with similar changes being considered in the US, Europe and more globally through the Organisation for Economic Co-operation and Development (OECD). The Code marks a significant step towards protecting young people online and active compliance provides an opportunity for businesses to be seen positively at the forefront of this change.