UK: Information Commissioner's Office Age Appropriate Design Code

The days of parents supervising their children's every digital move are quickly becoming a distant memory. The sole computer which once sat in the living room in full view of the whole family has now been replaced with a multitude of devices capable of accessing the internet, from phones and tablets, to smartwatches, toys, and game consoles. While children's use of the internet has been growing over the years anyway, the Coronavirus pandemic has in no doubt escalated usage. As the pandemic hit and countries all over the world announced quarantines and stay at home orders, the lives of children up and down the UK were reduced, in most part, to the four walls of their home. As a result, their worlds went truly digital, with their education, shopping, socialising, playing, and fitness activities all moving online, a move which will not necessarily be reversed anytime soon.

While technology can provide significant benefits to society, it can also present danger, particularly to vulnerable groups, such as children. The ICO acknowledges that the current digital world is not a 'safe space' for children. This is reinforced by the NSPCC estimating that 90 cybercrimes are recorded by UK Police a day.

Separately from crimes being committed against children online, there are other risks, for example inappropriate content, bullying, being influenced to buy in-app purchases, and profiling. One of the greatest risks to children may actually appear to be the most benign: internet supported toys. Hackers could gain unauthorised access to the toy which would allow them to talk to and/or watch unsuspecting children. In a similar vein, smartwatches may seem like an innocuous way to track a child's fitness but they may actually be exposing the child to risks if the devices have geolocation capabilities that can be accessed by hackers.

With these risks in mind, the ICO's Age Appropriate Design Code could arguably not have come at a better time. While the Code, which the ICO had the duty of developing under the Data Protection Act 2018, does not change the law, it does however put a considerable amount of meat on the bones of the GDPR regarding the processing of children's data which is collected online. Organisations caught by the Code have 12 months to adhere to the 15 new standards detailed in the Code, failing which it could be exposed to regulatory action from the ICO including, but not limited to, a fine of the greater of 4% of annual global turnover or £18 million.

Which organisations are caught be the Code?

The Code will apply to organisations that provide 'information society services' that are likely to be accessed by children in the UK (for purposes of the Code, these are those children under the age of 18).  An ISS is an online service provided for remuneration at a distance by electronic means and at the request of a recipient of services.

Essentially most online services are considered an ISS. This is the case even where the 'remuneration' is not paid for by the end user, for example, it may be funded by advertising. It also covers not-for-profit ISS provided they can be considered as 'economic activity' in a more general sense.

Which organisations are not caught by the Code?

What are the Standards?

The Code sets out 15 standards of 'age appropriate design'.  Relevant organisations ought to follow all of the Standards as part of their approach to complying with data protection generally. Notably, the Code continues the GDPR's message of adopting a proportionate and risk-based approach when implementing the Code. Recognising that each organisation is different and technology moves at such speed, the Code allows for flexibility in terms of how each organisation determines compliance, reinforcing privacy by design once again.

A summary of the Standards:

1. The best interests of the child must be a primary consideration.
2. A child-focused Data Privacy Impact Assessment ought to be undertaken or updated if one is already in place (a child focused DPIA template is available on the ICO website).
3. Online services accessed by children ought to be age appropriate.
4. Organisations should be transparent with their users ensuring any notices, information, or general language is child-friendly.
5. Children's data should not be used or processed in a way that is detrimental to them.
6. Organisations should uphold their own policies and community standards.
7. Default settings should usually be set at 'high privacy.'
8. Organisations should only collect the minimum amount of personal data that they require to provide the part of the online service that the child wants to engage with.
9. In general, a child's data should not be shared with third parties outside your organisation.
10. In general, geolocation privacy settings should be switched off by default.
11. Parental controls must be balanced with the child's right to privacy.
12. In general, options which use profiling should be switched off by default.
13. Nudge techniques which would lead a child to disclose more personal data than is necessary and/or switch off any privacy settings, should not be used.
14. Organisations which provide an internet-connected toy or device must ensure it includes effective tools to enable conformance to the Code.
15. Organisations should provide tools which allow children accessing their online services to easily exercise their rights under the GDPR, as well as report any concerns or complaints they may have.

Next steps

The first thing an organisation should do is establish whether or not the Code applies to their existing online services, or services that they plan to launch in the future. If it does not apply, we would recommend documenting its reasoning in this regard for accountability purposes.

If the Code does apply, the organisation must comply with the 15 Standards as soon as possible and no later than the 2 September 2021. To prepare for this, it may be useful to refer to the UK ICO's Children Code Hub which has a wealth of practical information. Ultimately, organisations should create and implement a plan to support compliance with the Code as soon as possible, which should be designed to the particular organisation's service, size, and resource.

As with any data protection compliance plan, we would recommend this is driven by the data protection officer (or equivalent person responsible for compliance) and overseen by the Senior Management Team. Bearing in mind that organisations only have 12 months to implement the Code, the plan should be actively monitored and executed to meet the deadline and thereafter to ensure the measures implemented remain appropriate.

We would also recommend that organisations supplement compliance with appropriate written policies covering compliance with the Code over and above what is currently in place for general GDPR/DPA compliance, and that appropriate staff training is provided.

Insight from Loretta Maxfield, specialist Data Protection Solicitor. For more information contact Loretta on 03330 430350 or email lmaxfield@thorntons-law.co.uk