ICO bolsters data protection rights for children in the digital world with the introduction of a new Age Appropriate Design Code

Following a lengthy consultation process, the Information Commissioner’s Office has this month published the draft Age Appropriate Design Code (the Code). The Code, which is designed to be read alongside the existing provisions of the GDPR, and the Data Protection Act 2018, is intended to bolster the standards online services should meet to protect children’s privacy.

The Code will apply to anyone responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services, and will be applicable to any service which may be accessible to children and may process the data of children.

The Code must now go through the standard legislative process before it becomes a law, but is expected to come into force in autumn 2021. The ICO has announced that organisations will receive a 12-month period prior to autumn 2021 in which they must update their processes to comply with the Code before the Code comes into full force and effect.

The most notable change as required by the Code, is that organisations must by default set the privacy standards of children as high, and must not use behavioural ‘nudges’ to encourage children to weaken their privacy settings. The Code also introduces new rules in relation to location tracking, profiling and data sharing, in relation to children.

The Code introduces 15 new standards[1] which organisations will be required to comply with, including:

1. The best interests of the child should be a primary consideration when designing and developing online services likely to be accessed by a child.
2. Organisations must take a risk-based approach to recognising the age of individual users and ensure that they effectively apply the standards in the Code to child users.
3. The privacy information provided to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child.
4. Children’s personal data must not be used in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
5. Settings must be ‘high privacy’ by default (unless the organisation can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
6. Children’s data must not be disclosed unless there is a compelling reason to do so, taking account of the best interests of the child.
7. Geolocation options should be off by default (unless there is a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). It must also be obvious to children when location tracking is active, and options which make a child’s location visible to others must default back to ‘off’ at the end of each session.
8. If any connected toy or device is provided, organisations must ensure they include effective tools to enable conformance to this code.
9. Provide prominent and accessible tools must be available to help children exercise their data protection rights and report concerns.

The Code is subject to the standard ICO rules of enforcement relating to the GDPR, so the potential penalties for breaching the Code are quite large. Organisations should take advantage of the 12-month period they have been granted by the ICO to ensure their processes are up-to-date and Code compliant, in advance of autumn 2021.

[1] The full set of standards can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services/code-standards/