Following a lengthy consultation process, the Information Commissioner’s Office has this month published the draft Age Appropriate Design Code (the Code). The Code, which is designed to be read alongside the existing provisions of the GDPR, and the Data Protection Act 2018, is intended to bolster the standards online services should meet to protect children’s privacy.
The Code will apply to anyone responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services, and will be applicable to any service which may be accessible to children and may process the data of children.
The Code must now go through the standard legislative process before it becomes a law, but is expected to come into force in autumn 2021. The ICO has announced that organisations will receive a 12-month period prior to autumn 2021 in which they must update their processes to comply with the Code before the Code comes into full force and effect.
The most notable change as required by the Code, is that organisations must by default set the privacy standards of children as high, and must not use behavioural ‘nudges’ to encourage children to weaken their privacy settings. The Code also introduces new rules in relation to location tracking, profiling and data sharing, in relation to children.
The Code introduces 15 new standards[1] which organisations will be required to comply with, including:
The Code is subject to the standard ICO rules of enforcement relating to the GDPR, so the potential penalties for breaching the Code are quite large. Organisations should take advantage of the 12-month period they have been granted by the ICO to ensure their processes are up-to-date and Code compliant, in advance of autumn 2021.
[1] The full set of standards can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services/code-standards/