The ICO’s Age Appropriate Design Code: is your organisation in scope?

Published 7 September 2021

On 2 September 2021, the ICO’s Age Appropriate Design Code for Online Services (the “Code”) came into force. Elizabeth Denham, the Information Commissioner, explains that its aim is to ensure that online providers create a safe space for children to learn, explore and play, not by seeking to protect children from the digital world, but by protecting them within it.

Those who are firmly within the scope of the Code, such as social media sites, will already be familiar with its requirements. However, it is important for all organisations to be aware of the Code’s scope as it is not restricted to services specifically aimed at children.

The Code applies to “information society services likely to be accessed by children” [emphasis added] in the UK (a child being anyone under the age of 18 years old). This includes the vast majority of online services used by children, including many apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet. Therefore, organisations who do not target services at children may find themselves within its scope.

No doubt, you will already be aware if your organisation intends to target its services at children. But when will a service be deemed “likely” to be accessed by children? The Code states that “for a service to be ‘likely’ to be accessed, the possibility of this happening needs to be more probable than not”. When considering if your organisation meets this threshold, you should consider:

• the nature and content of the service and whether that has particular appeal for children;
• if you have an existing service, whether children form a substantive and identifiable user group; and
• the way in which the service is accessed and any measures you put in place to prevent children gaining access.

The Code is a “statutory code” prepared under the Data Protection Act 2018. As a statutory code, the ICO and courts must take it into account when considering enforcement action.

Requirements of the Code

The Code is not new law, but sets out how the requirements of the UK GDPR (and other legislation such as PECR) apply in the context of information society services likely to be accessed by children. It requires those in scope to put the best interests of the child first when they are designing and developing services that are likely to be accessed by them.

The Code sets out 15 flexible standards:

1. Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
   
   
2. Data protection impact assessments: Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, which arise from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code.
   
   
3. Age appropriate application: Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.
   
   
4. Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent, and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.
   
   
5. Detrimental use of data: Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or Government advice.
   
   
6. Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
   
   
7. Default settings: Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
   
   
8. Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
   
   
9. Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
   
   
10. Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others should default back to ‘off’ at the end of each session.
    
    
11. Parental controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.
    
    
12. Profiling: Switch options which use profiling ‘off’ by default (unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
    
    
13. Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections.
    
    
14. Connected toys and devices: If you provide a connected toy or device, ensure you include effective tools to enable conformance to this code.
    
    
15. Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.

We recommend that all online organisations review their operations and consider the scope of the Code.

For further information, please contact Jade Kowalski.