The ICO’s Age Appropriate Design Code comes into force
04 September 2020
Data sits at the heart of the digital services that most people, including children, use every day. Data relating to children is afforded special protection in the GDPR and the Information Commissioner’s Office (“ICO”) has stated that use of children’s data is one of its regulatory priorities.
The ICO has this week issued its Age Appropriate Design Code (the “Code”). The main purpose of the Code is to address the growing concern about the safety of children and the abuse of their data in the digital age. It lays down the specific data protection safeguards which information society service providers and providers of online products or services are required to incorporate into their service design to ensure that their services are appropriate for children.
Organisations have a twelve month transition period to make the necessary changes to their processing activities to ensure compliance with the Code by 2 September 2021.
Who the Code applies to
The Code applies to organisations providing online services and products (including apps, programs, websites, search engines, social media platforms, streaming services, games or community environments) that process personal data and likely to be accessed by children up to age 18.
The Code applies on a worldwide basis to organisations that monitor children in the UK, or where it's apparent that they intend to offer online services or goods to children in the UK.
The Key Standards in the Code
The Code sets out 15 standards with a focus on high privacy, child-friendly, default privacy settings with no data sharing and minimisation of data collection and use by default for all online providers whose services are likely to be accessed by children. All standards are inter-linked and must be wholly implemented by online service providers.
The Code does not follow a “one size fits all” approach; rather it requires organisations to carry out age appropriate design. The code divides children into 5 developmental ages: 0 - 5; 6 - 9; 10 - 12; 13 - 15; 16 - 17. It provides guidance on developmental factors for each age group and provides suggestions on how to tailor design with these different age groups in mind.
The 15 standards that organisations should consider when designing and developing online services likely to be accessed by a child, include the following:
- Ensure that best interests of the child is a primary consideration. Organisations should consider the needs of child users and work out how it can best support those needs in the design of its online service. In doing this, organisations should take into account the age of the user. Taking account of the best interests of the child does not mean that an organisation cannot pursue its own commercial or other interests. An organisation’s commercial interests may not be incompatible with the best interests of the child, but it will need to account for the best interests of the child as a primary consideration where any conflict arises.
- Ensure that privacy notices and other published terms, policies and information provided is concise and in clear language suited to children. Additional “bite-sized” descriptions about how personal data is processed should also be provided.
- A requirement that a child’s personal data is not used in ways that can be harmful to their wellbeing, or that go against industry codes of practice or other regulatory provisions or Government advice. For example, organisations should avoid using personal data in a way that incentivises children to stay engaged, such as offering personalised in-game advantages based upon their personal data in return for extended play, and should introduce mechanisms such as pause buttons which allow children to take a break at any time without losing their progress in a game.
- Settings must be ‘high privacy’ by default, unless the service provider can demonstrate a compelling reason for a different setting. This means that a child’s personal data is only visible or accessible to other users of the service if the child amends their settings to allow this. It also means that unless the setting is changed, an organisation’s use of the children’s personal data is limited to use that is essential to the provision of the service. Any optional uses of personal data, including any uses designed to personalise the service have to be individually selected and activated by the child.
- Children’s data must not be disclosed to third parties unless a compelling reason to do so can be demonstrated, taking account of the best interests of the child.
- Geolocation options (i.e. GPS data or data about connection with local Wi-Fi equipment) must be switched off by default unless there is a compelling reason for them to be switched on.
- Techniques that lead or encourage children to give unnecessary personal data or encourage them to switch off their privacy protections should not be used.
- Tools should be provided to help children implement their data protection rights and to allow them to report any concerns or complaints. These tools should be visibly displayed and always accessible.
Organisations should now assess whether the Code applies to its existing services. If so, then it is important that organisations start to consider what steps they need to take to ensure compliance with the requirements of the Code by 2 September 2021. These steps may include:
- Reviewing the existing / new age verification mechanisms for its services.
- Undertaking a Data Protection Impact Assessment to assess and mitigate the risks to children who are likely to access its services.
- Reviewing or creating new resources for under-18 users appropriate for their age and ensuring that age-appropriate tools are in place for children to exercise their rights under data protection laws.
- Ensuring design changes are made if necessary, including default privacy settings, profiling, its use of nudge techniques etc.
- Ensuring that any members of staff involved in the design of online services are aware of and comply with this Code and receive appropriate training in data protection.
- Keeping a record of all processing activities and be prepared to demonstrate conformance with the Code.
If the organisation decides that the Code does not apply, it must document and keep a record of the reasons for this decision.
Organisations must not only comply with the Code but must also be in a position to demonstrate compliance, which is a key measure of conformity with data protection obligations under GDPR. For serious data protection breaches, the ICO has the power to issue fines of up to €20 million or 4% of turnover.
The ICO has stated that if they see harm or potential harm to children they will likely take more severe action against an organisation than would be the case for other types of personal data. Given that the ICO intends to undertake a series of proactive audits to ensure compliance with the Code, organisations should ensure they have an audit trail in place to document and demonstrate its compliance.
If you wish to discuss any aspect of the new Code and what it means for your organisation, please contact the Commercial Law team at Carson McDowell for further information.
*Please note that this information is for guidance purposes only and does not constitute, nor should be regarded as, a substitute for taking legal advice that is tailored to your particular circumstances.