Broadly applicable ICO code presents a significant practical challenge to online services and is unlikely to be just 'one of a kind'
The UK Information Commissioner's Office's (ICO) Age Appropriate Design Code of Practice requires providers of online products and services (such as, websites, apps, games and connected toys) to review and, most likely, adapt their products and services to protect children's personal data.
The code takes effect from 2 September 2021, which means that there are now just over six months remaining for businesses to conform to the 15 "standards of design" it sets out. Businesses will need to move quickly to assess whether, and to what extent, the code applies to their products and services and what changes they may be required to make.
Failure to conform to the standards set out in the code will make it difficult for online service providers to demonstrate compliance with UK data protection laws. As more and more services enhance the protections afforded to children's data, any businesses not doing so risk falling behind market practice and being at increased risk of regulatory censure and reputational damage.
When does the code apply?
The code applies to providers of "information society services" that process personal data and are likely to be accessed by children; for these, a "child" is anyone under the age of 18. The code applies to:
- Information society services: The definition is broad and will cover most online services (whether paid for or not); for example, apps, programs, websites, social media platforms, online marketplaces, online games, news and educational websites will all be caught.
- Services that process personal data: The online service must process personal data that is subject to UK data protection laws.
- Services that are likely to be accessed by children: this does not only mean services that are targeted at children but also services that children are more likely than not to access. For online services that are not aimed at children, but are not inappropriate for them to use, the focus should be on how appealing the service will be to them.
In terms of its territorial scope, the code applies whenever UK data protection laws apply. Broadly, this means that not only will the code apply to services provided to users in the UK (whether by a UK service provider or otherwise) but also to services provided outside the UK that are provided by a controller with an "establishment" in the UK and process personal data in the context of the establishment's activities.
For businesses, understanding which of their services are in the code's scope is the all-important (and not always straightforward) first step.
What does the code require?
The code requires that in-scope services conform to 15 cumulative and interdependent "standards of age appropriate design", which together aim to safeguard children's personal data.
To start, all in-scope services will require a data protection impact assessment (DPIA) to assess:
- how children's data is processed in connection with the service;
- the specific risks to the rights and freedoms of children as a result of that processing (by reference to both the likelihood and severity of the risks); and
- what protective measures and safeguards are required to address those risks in conformance with the Code.
The ICO recognises that the measures and safeguards required will vary depending on the age range that users fall into. This means that, in practice, businesses need to establish age with some certainty. The code sets out some suggested methods for doing so.
The changes required to in-scope services may be quite significant and, by way of example, include:
- Tailored transparency information: Businesses will need to get creative with the presentation of their privacy information to children. Privacy information should be presented in bite-sized chunks and may be accompanied with diagrams, cartoons, graphics or video content in order for it to be considered "child friendly". A one-size fits all approach will not be sufficient, as the information must be tailored to the age of the child.
- Limited data sharing: Businesses will need to demonstrate a compelling reason why the disclosure of children's personal data to third parties is necessary. Additionally, personal data should not be shared if it is reasonably foreseeable that the recipient may process the data in a way that is detrimental to the child's wellbeing. This will require businesses to take mitigation steps such as undertaking due diligence as to the adequacy of the recipient's data protection practices and any further sharing of the data.
- Data minimisation: The ICO already expects online service providers to collect and retain only the minimum amount of personal data needed to provide the elements of its service in which a child is actively and knowingly engaged. However, the ICO now requires online service providers to identify what personal data is needed to provide each element of the service. In practice, this means that, if the business is offering a music download service, one element would be the search function, another would be the recommendations based on user activity and another would be sharing what a user is listening to with other users. Children should be given as much choice as possible over which elements of the service they wish to use and "bundling" of enhancements must not be used.
The standards in the code also restrict the use of nudge techniques, require online service providers to use certain default settings (settings must be set to high privacy by default and user profiling and geo-location should be switched off by default), and oblige providers to keep abreast of relevant standards and codes relating to children, such as CAP (Committees of Advertising Practice) guidance on marketing.
For some businesses, implementing the code's standards may require separate user accounts or entire services to be developed for use by children.
Do businesses have to comply?
The code is one of the statutory codes of practice that are required to be prepared by the ICO under the UK's Data Protection Act 2018 (along with codes of practice on data sharing, direct marketing and data protection and journalism).
The code is not law, however, it carries significantly more weight than guidance. The ICO must take the code into account when considering compliance with UK data protection laws, and has said that it will monitor conformance via proactive audits and investigation of complaints. Conformance - or otherwise - with the code can also be used as evidence in court proceedings. The ICO considers the public interest in protecting children online as a significant factor when considering regulatory action and is likely to take more severe action if it sees harm to children as compared with other types of non-compliance.
What do businesses need to do now?
Broadly, businesses need to:
- assess which of their services are caught by the code;
- audit and undertake a DPIA in respect of each of their in-scope services;
- identify what changes are required to each of their in-scope services to conform to the code; and
- implement those changes.
That work needs to be completed before 2 September 2021.
The code - which is much broader in scope than many might assume - adds significantly more detail to the broad-brush requirements of UK data protection laws and how they apply in relation to children's data. All in-scope services will need to do something to conform to the code, though the extent of the changes required will vary depending on the nature of the service.
The code may well be "the first of its kind" (in the words of the ICO), but it will certainly not be the last. Regulators in several EU jurisdictions (including France and Ireland) are already following suit and have launched consultations or published guidance in relation to the protection of children's data online. We expect that there will be certain specific differences in how regulators approach this issue, although the hope is that any standards or guidelines introduced give businesses providing services internationally sufficient flexibility to take the same, or a similar, approach across each of those services, at least within the UK and the EU.
This article was prepared and written with the support of Harriet Parratt.
Originally published 18 February 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.