A new Code of Practice has been published by the Information Commissioner’s Office on age appropriate design for online services. The new Code is a requirement under the Data Protection Act 2018, and is intended to provide a set of 15 standards that online services should follow to protect children’s privacy.
Confusingly, while the code is called the Age Appropriate Design Code, the ICO has been referring to it as the “Children’s Code” in interviews and on social media.
Which services are subject to the Code?
The Code will apply to organisations that offer “relevant” information society services that are “likely” to be used by children.
“Information society services” is defined in EU law, and applies to services provided by electronic means at the request of the recipient. It includes services provided through apps and websites. It will also cover providers of connected devices. Interestingly, the CJEU recently held that Uber is a transport service, not an information society service. On that basis, Uber is outside the scope of the Code.
While the definition of information society services says that the service must be provided for remuneration, that remuneration need not come from the end user – it can take the form of advertising. It may also cover some not for profit activity.
The Code gives some examples of services that are not “relevant”, including some services provided by public authorities, websites that just provided information about offline services (including online booking facilities), traditional voice telephony services, and preventative or counselling services.
“Likely to be used by children” is very broad. A child is taken to be anyone under the age of 18. If you do not want your service to be used by children, then Code says that you should take steps to prevent children from accessing it.
All organisations will therefore need to assess their potential users and decide whether to apply the Code or take steps to prevent children from accessing their services.
How does the Age Appropriate Design Code interact with GDPR?
The Code is not a requirement of GDPR. It is a UK innovation. It wasn’t even part of the Government’s original draft data protection bill. The requirement to produce a code arose out of an amendment to the bill introduced in the House of Lords.
One of the key aims of GDPR is that the law is standardised across the EU, and that regulators interpret and apply GDPR in a consistent manner. One consequence of the Age Appropriate Design Code is that it does not sit comfortably within the consistency mechanism.
The Code will also apply to organisations outside the UK that target services at users in the UK or otherwise monitor their behaviour.
Organisations operating in the UK other EU member states may therefore find that they need to apply different approaches in the UK compared to the rest of the EU.
What is the status of the Age Appropriate Design Code
The Code is not a binding statement of the law. Indeed, despite the implications in some media reports, it creates no new law.
However, as a statutory code or practice, the ICO is required to take it into account when considering the exercise of its functions, and the courts must take it into account where it is relevant.
It will be interesting to see how it is applied. While in some areas it provides practical guidance on applying data protection law, in other areas there is no obvious basis in law for the guidance.
What has changed since the draft Code was published?
The draft Code, published by the ICO in April 2019, attracted substantial criticism.
While a number of issues remain, changes have been made to soften the obligations around age verification and clarify what online services will be within the scope of the Code.
The Code sets out 15 standards:
Many of these standards reflect the principles of GDPR and are not specific to children.
Others go much further: for example, the expectation that the best interests of the child should be the primary consideration when you design and develop services. This creates a positive obligation to consider how in your use of their personal data you can keep children safe from exploitation risks and protect their health and well being. That is likely to go far beyond the issues that most organisations will take into account when carrying out a DPIA.
When Does the Age Appropriate Design Code come into force?
The Code now needs to be notified by the Government to the European Commission and then laid before Parliament for approval. If there are no objections within 40 sitting days, then the Code will come into force 12 days after that. However, there will be a transition period of 12 months to give organisations time to prepare.
All organisations that provide services through electronic means will need to assess whether the Code applies to them and the steps that they may need to take to comply. To discuss the Code, and its potential impact on your organisation, please get in touch.
On January 23, 2020