In early 2020, in the wake of the UK Information Commissioner's (ICO) publication of the then-draft Age Appropriate Design Code (the Children's Code), we published a review of children's data protection rights in the UK. Our general review of websites and apps popular with children found that privacy notices typically ran into thousands of words and consisted of overly legalistic language, with often a vast range of different types of personal data being obtained from children. Whilst the different types of processing of children's personal data may not have been expressly prohibited under the UK's General Data Protection Regulation (UK GDPR), such extensive data collection was unlikely to be appreciated and understood by (all) children.
In light of concerns expressed by the ICO and others, such as the Children's Commissioner, that children were becoming 'datafied', the Children's Code sets out 15 cumulative, flexible and inter-linked standards. These reflect a risk-based approach to 'age appropriate design', designed to assist in-scope providers in complying with UK GDPR when designing and developing their online products and services that are likely to be accessed by children.
The Children's Code came into force on 2 September 2020, with the transition period for in-scope providers to get themselves in a position to comply (both in relation to their new online products and services, and also existing ones) coming to an end on 2 September 2021.
For more detail on the 15 standards in the Children's Code, please see the attached overview.
Who is in scope of the Children's Code?
The Children's Code applies to 'information society services' comprising online products or services that process personal data and which are "likely to be accessed by children" in the UK where those services are provided for remuneration.
The Code has an extremely broad potential application because:
- 'Children' includes all those under the age of 18.
- Whilst the Children's Code, of course, covers online products or services which are specifically designed for and aimed at children, it also governs those that children are likely to access (meaning the possibility of this happening is more probable than not), even where they are not aimed at children.
- The Children's Code has extra-territorial scope, so it includes providers established outside the UK where their products or services are likely to be accessed by those under 18 in the UK.
- Services that are provided for remuneration are not limited to those provided for direct remuneration, but include also those services funded via advertising (so could cover for example, charities and other non-profits).
Apps, social media sites, online games, connected toys, content streaming services, news websites, educational websites, and websites offering goods and services will therefore be in-scope of the Children's Code. Specific carve-outs include general (but not on-demand) broadcast services, as well as some other limited areas (such as counselling services, or services provided by local authorities).
Many providers will need to conduct an initial assessment of whether their online products or services are likely to be accessed by children, and should record the outcome of this assessment in a Data Protection Impact Assessment. This assessment will depend upon the nature and content of their service, but also how it is accessed and whether measures are in place to prevent children gaining access. Providers may want to conduct market research and provide evidence of the testing of their access restriction measures. Where a service is inappropriate for children to access - for example, it is an adult only, restricted, or otherwise child-inappropriate service – the focus should be on how to prevent access to children, rather than on making their product or service 'child-friendly', since the Children's Code does not apply.
Status of the Children's Code and likely enforcement
The Children's Code is a statutory code of practice. This means that the ICO must take it into account when considering whether there has been compliance with UK GDPR or the Privacy and Electronic Communications Regulations (PECR). A court must also take the Children's Code's provisions into account where relevant, and it could be used in evidence in court proceedings. Whilst fines under UK GDPR can be as high as £17.5 million or 4% of global annual turnover (whichever is higher), in practice, the ICO is likely to target only egregious breaches of the Children's Code and/or UK GDPR. This does not mean, of course, that organisations are free to ignore its provisions, or should not take them seriously. However, provided that an organisation is taking proper steps to assess and deal with any potential risks to children arising under the Children's Code, it is unlikely that significant enforcement steps will be taken against it.
Practical steps to ensure compliance with the Children's Code
- Assess whether your online products and/or services are likely to be accessed by children in the UK, and the likely age/s of those children.
- Conduct Data Protection Impact Assessments at an early stage of the design process for new online products/services, (and also for legacy products and services), to ensure that all relevant risks and potential harms are identified, assessed and mitigated. This process may involve consultation with children, parents and independent experts.
- Design your product or service with the 'best interests of the child' paramount. For example:
- set default settings as high-privacy
- give children appropriate alerts where geo-location, profiling or parental controls are in use
- give children choices over processing which is not central to your core service
- use positive, privacy-enhancing nudges which promote children's well-being.
- Adopt an age-appropriate approach to the design of your product or service, and in relation to the information you provide in your privacy notices, terms of service, and your community standards. This may mean:
- adopting multi-layered and 'just-in-time' notices
- using differing approaches differentiated by the age/s of your users
- in some cases, adopting the same approach to all users of your product or service, including adults.
Concern about the online activities of children and their exposure to online risks is, of course, not new, with the UK Children's Commissioner reporting in 2018 that children between 11-16 post on social media on average 26 times a day, leading to a potential 70,000 posts by the time they are 18. Alongside the Children's Code, those providers whose services encompass user-to-user interaction, or operate as search engines, will also need to ensure compliance with the Online Safety Bill in relation to illegal and/or harmful content on their sites, once it completes its passage through Parliament.
Both the Children's Code and the proposed Online Safety framework require an intensive and nuanced approach to the potential risks presented to children online, as well as an enhanced regulatory burden. However, controllers should note that a number of the Children's Code requirements are existing obligations on controllers under the UK GDPR.
In the meantime, the ICO continues to develop its guidance in certain areas: in particular, further guidance around age-assurance tools, including possible certification schemes, is anticipated.