A new Code of Practice has been published by the Information Commissioner's Office on age appropriate design for online services. The new Code is a requirement under the Data Protection Act 2018, and is intended to provide a set of 15 standards that online services should follow to protect children's privacy.
Confusingly, while the code is called the Age Appropriate Design Code, the ICO has been referring to it as the "Children's Code" in interviews and on social media.
Which services are subject to the Code?
The Code will apply to organisations that offer "relevant" information society services that are "likely" to be used by children.
"Information society services" is defined in EU law, and applies to services provided by electronic means at the request of the recipient. It includes services provided through apps and websites. It will also cover providers of connected devices. Interestingly, the CJEU recently held that Uber is a transport service, not an information society service. On that basis, Uber is outside the scope of the Code.
While the definition of information society services says that the service must be provided for remuneration, that remuneration need not come from the end user - it can take the form of advertising. It may also cover some not for profit activity.
The Code gives some examples of services that are not "relevant", including some services provided by public authorities, websites that just provided information about offline services (including online booking facilities), traditional voice telephony services, and preventative or counselling services.
"Likely to be used by children" is very broad. A child is taken to be anyone under the age of 18. If you do not want your service to be used by children, then Code says that you should take steps to prevent children from accessing it.
All organisations will therefore need to assess their potential users and decide whether to apply the Code or take steps to prevent children from accessing their services.
How does the Age Appropriate Design Code interact with GDPR?
The Code is not a requirement of GDPR. It is a UK innovation. It wasn't even part of the Government's original draft data protection bill. The requirement to produce a code arose out of an amendment to the bill introduced in the House of Lords.
One of the key aims of GDPR is that the law is standardised across the EU, and that regulators interpret and apply GDPR in a consistent manner. One consequence of the Age Appropriate Design Code is that it does not sit comfortably within the consistency mechanism.
The Code will also apply to organisations outside the UK that target services at users in the UK or otherwise monitor their behaviour.
Organisations operating in the UK other EU member states may therefore find that they need to apply different approaches in the UK compared to the rest of the EU.
What is the status of the Age Appropriate Design Code
The Code is not a binding statement of the law. Indeed, despite the implications in some media reports, it creates no new law.
However, as a statutory code or practice, the ICO is required to take it into account when considering the exercise of its functions, and the courts must take it into account where it is relevant.
It will be interesting to see how it is applied. While in some areas it provides practical guidance on applying data protection law, in other areas there is no obvious basis in law for the guidance.
What has changed since the draft Code was published?
The draft Code, published by the ICO in April 2019, attracted substantial criticism.
While a number of issues remain, changes have been made to soften the obligations around age verification and clarify what online services will be within the scope of the Code.
The Code sets out 15 standards:
Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
Data protection impact assessments: Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, which arise from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code.
Age appropriate application: Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.
Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific 'bite-sized' explanations about how you use personal data at the point that use is activated.
Detrimental use of data: Do not use children's personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
Default settings: Settings must be 'high privacy' by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
Data sharing: Do not disclose children's data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). Provide an obvious sign for children when location tracking is active. Options which make a child's location visible to others must default back to 'off' at the end of each session.
Parental controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child's online activity or track their location, provide an obvious sign to the child when they are being monitored.
Profiling: Switch options which use profiling 'off' by default (unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable conformance to this code.
Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
Many of these standards reflect the principles of GDPR and are not specific to children.
Others go much further: for example, the expectation that the best interests of the child should be the primary consideration when you design and develop services. This creates a positive obligation to consider how in your use of their personal data you can keep children safe from exploitation risks and protect their health and well being. That is likely to go far beyond the issues that most organisations will take into account when carrying out a DPIA.
When Does the Age Appropriate Design Code come into force?
The Code now needs to be notified by the Government to the European Commission and then laid before Parliament for approval. If there are no objections within 40 sitting days, then the Code will come into force 12 days after that. However, there will be a transition period of 12 months to give organisations time to prepare.
All organisations that provide services through electronic means will need to assess whether the Code applies to them and the steps that they may need to take to comply. To discuss the Code, and its potential impact on your organisation, please get in touch.