Following a public consultation on its draft code of practice with parents, children, schools, children’s campaign groups, developers, tech and gaming companies and online service providers which closed on 31 May 2019, the Information Commissioner’s Office (ICO) submitted its Age-Appropriate Design Code of Practice on 12 November 2019 but due to restrictions in the pre-election period it was not permitted to be published until 23 January 2020.

The purpose of the Code?
The Code aims to address the increasing concern both in the UK and internationally about children’s safety and exploitation of their data online and is designed to allow them to explore safely within the digital environment. The Code specifies which data protection safeguards need to be built into the design of online services to ensure they are appropriate for use by children and also to help meet children’s developmental needs. It is envisaged that as well as demonstrating compliance with current data protection laws, online service providers who follow the code will demonstrate to parents and other users of their services that they take children’s privacy seriously; that they can be trusted with children’s data and that their services are appropriate for children.

Who the Code applies to:
The Code applies to providers of information society services and providers of online products or services including apps, programmes, websites, games or community environments, as well as connected toys or devices (either with or without a screen) that process personal data and that are likely to be accessed by children in the UK.

Legal Status of the Code:
The Code is not a new law but is a statutory code of practice required under Section 123 of the Data Protection Act (DPA) 2018. The Code was submitted to the Secretary of State on 12 November 2019 and must complete a statutory process before it can be laid before Parliament. It will become law 40 days after being laid before Parliament in accordance with Section 125 of the DPA 2018. There will then be a 12 month transition period to allow providers to implement the necessary changes from the date the code takes effect following the Parliamentary approval process. The ICO expects that this will expire in Autumn 2021.

Consequences of non-compliance:
Conformity with the Code will be used as a key measure of compliance with data protection obligations under the General Data Protection Regulation (GDPR), the DPA and the Privacy and Electronic Communications Regulations (PECR). This measure of compliance will be specifically taken into account when considering questions of fairness, lawfulness, transparency and accountability under the GDPR as well as when the ICO are considering enforcement measures. The ICO have warned that if an online service provider does not conform to the code it will be difficult to demonstrate compliance with the law, which in turn is likely to trigger regulatory enforcement.

The Provisions of the Code:
The Code is a set of 15 design standards which focus on high privacy, child-friendly, default privacy settings with no data sharing and minimisation of data collection and use by default for all online providers whose services are likely to be accessed by children. The standards are non-prescriptive but are designed to ensure built-in protection for children when they are exploring, learning and playing online.

The 15 Standards of the Code:

  1. Best interests of the child – this is a primary consideration when designing and developing online services likely to be accessed by a child.
  2. Data Protection Impact Assessments (DPIAs) – these are to be undertaken to assess and mitigate risks which arise from data processing to the rights and freedoms of children who are likely to access services.
  3. Age appropriate application of the code – taking a risk-based approach, online service providers should either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from their data processing, or apply the standards of the code to all users instead.
  4. Transparency – the privacy information provided to users, and other published terms, policies and community standards, is required to be concise, prominent and in clear language suited to the age of the child. Additional bite-sized explanations about how the service provider uses personal data needs to be provided at the point that use is activated.
  5. Detrimental Use of Data – children’s personal data must not be used in ways that have been shown to be harmful to their wellbeing, or that go against industry codes of practice or other regulatory provisions or Government advice.
  6. Policies and Community Standards – service providers are to uphold their own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
  7. Default settings – settings must be ‘high privacy’ by default, unless the service provider can demonstrate a compelling reason for a different default setting, taking into account the best interests of the child.
  8. Data minimisation – service providers are to collect and retain only the minimum amount of personal data required to provide the elements of their service in which a child is actively and knowingly engaged.
  9. Data sharing – children’s data is not to be disclosed to third parties unless a compelling reason to do so can be demonstrated, taking account of the best interests of the child.
  10. Geolocation – geolocation options are required to be switched off by default unless there is a compelling reason for them to be switched on by default, taking into account the best interests of the child. There should also be a sign that is obvious to the child when the geo-tracking is switched on. Options which make a child’s location visible to others are also required to revert to ‘off’’ mode automatically at the end of each session.
  11. Parental controls – the child needs to be provided with age appropriate information if there are parental controls. If the online service provides a facility for a parent or carer to monitor their activity online or track their location there needs to be an obvious sign to the child to show when monitoring is taking place.
  12. Profiling – any profiling options should be switched to off by default unless there are compelling reasons for profiling to be on by default, taking into account the best interests of the child. Profiling should only be permitted if there are sufficient measures in place to protect the child from harm (in particular, supplied content that is detrimental to their well-being).
  13. Nudge techniques – techniques that lead or encourage children to give unnecessary personal data or encourage them to switch off their privacy protections should not be used.
  14. Connected toys and devices – connected toys or devices should include effective tools to enable conformance with the code.
  15. Online tools – tools should be provided to help children exercise their data protection rights and to allow them to report concerns. These tools should be displayed prominently and be readily accessible.

Providers will need to be able to demonstrate that they conform to these standards which are also cumulative and interlinked. Service providers will therefore be required to implement them all, to the extent they are relevant to their service.

Action Required:
To ensure compliance with the new Code and avoid potential legal action or enforcement by the regulator, owners and developers of online services aimed at children or where children form a proportion of their users, will need to do a thorough audit of all their websites, apps, on-line games, toys and other devices (whether with or without screens) and any other on-line services by using DPIAs to check anywhere they may not align with the new Code and change their privacy default settings where necessary. Given that the 12 month transition period once the Code comes into full effect is relatively short, and that the ICO estimates that the Code will be in full effect by Autumn 2021, this audit process should be embarked on by those to whom the Code will apply as a priority.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection & Privacy, London
+44 20 7466 2328
Hayley Brady
Hayley Brady
Head of Media and Digital, Technology, Media, Entertainment and Telecoms, London
+44 20 7466 2079
Anna McGowan
Anna McGowan
Professional Support Lawyer, Digital Technology, Media, Telecommunications, Sourcing & Data, London
+44 20 7466 2228