The ICO has published its Age Appropriate Design Code (see ICO Code) aimed at protecting children online.
The Code isn’t yet in force (parliament has to approve it first, following which there will be a 12-month transitional period). However, the ICO anticipates that it will come into full effect in the Autumn of 2021, giving organisations affected by the Code a year and a half to get their houses in order.
The Code is tied to the statutory obligations which organisations have under the GDPR and PECR. Consequently, organisations which fail to adhere to the standards set out in the Code will find it difficult to demonstrate that they have met their obligations under the GDPR/PECR. This could result in enforcement action by the ICO and ultimately fines (and as we all know, under the GDPR, the ICO has the power to issue fines of up to €20 million or 4% of annual, worldwide turnover, whichever is the higher).
Who will the Code apply to?
The Code will apply to organisations which provide online products or services for remuneration that process personal data and are likely to be accessed by children. Such products or services will include apps, programs, websites, games and connected toys and devices. Since the Code will apply regardless of whether an online product or service is specifically targeted at children, many online service providers will fall within its remit.
Websites, apps and social media platforms that rely on revenue generated by advertising will fall within the scope of the Code (as such services are generally regarded as being provided for remuneration).
What exactly will the Code do?
The Code will introduce 15 standards of ‘age appropriate design’ which organisations will need to implement in order to ensure that any processing of personal data relating to children complies with the data protection principles and other key rights and requirements under the GDPR.
As well as explaining what each standard means and its purpose, the Code provides organisations with practical guidance on how they can achieve compliance. However, it will be up to individual organisations to assess the risks to children posed by their particular online service or product and implement measures and safeguards appropriate to those specific risks.
What are the standards?
The standards are underpinned by a general requirement that the best interests of the child should be a primary consideration when an organisation designs and develops online services likely to be accessed by a child.
The other standards include:
- The need to embed a data protection impact assessment (‘DPIA’) into the design of any new online service which is likely to be accessed by children;
- The need for organisations to apply protections and safeguards which are age appropriate. In order to do so, organisations will generally need to verify the age range of their users. The ICO lists various methods that organisations can use to do this, ranging from self-declaration to third party age verification services. However, the Code advises that self-declaration will only be suitable for low risk processing;
- The need for organisations to be transparent (i.e. clear, open and honest) with children about their use of personal data. This will include the need to bring clearly drafted privacy information to the attention of children, provide just-in-time notices and present information in a child-friendly way (such as by using diagrams and cartoons);
- The need to switch geolocation options off by default (unless an organisation can demonstrate a compelling reason for doing otherwise);
- A requirement that organisations do not disclose children’s data to others (again, unless they can demonstrate a compelling reason to do so); and
- A requirement that organisations do not use nudge techniques to encourage children to provide unnecessary personal data or turn off privacy protections.
The ICO encourages organisations to read the code in full in order to fully understand how to implement each standard properly. Indeed, bearing in mind that non-compliance with the Code may be used to evidence breaches of the GDPR and/or PECR, we’d urge service providers to get to grips with the Code as soon as possible.
If you’d like any further information, please contact a member of our Information Law Team
RELATED: INFORMATION LAWGDPR