UK: ICO rules regarding the online privacy of children enter into force

By James Clark and Anna Ward, DLA Piper UK LLP

The Age Appropriate Design Code (“Code”), a new statutory Code of Practice published by the UK Information Commissioner’s Office (“ICO”), enters into force today (2 September 2021) following a one year transition period.  The Code seeks to regulate the provision of online services to children, providing influential guidance to businesses regarding how to build such services in a way that complies with UK data protection law.

Background

It is a fact of modern life that the average child spends significant amounts of time online, often from a very early age.   This is a trend that has become particularly pronounced over the course of the Covid-19 pandemic, as everything from the delivery of education to socialising with friends has, as a matter of necessity,  become increasingly digital.  However, as the ICO highlights: “One in five UK internet users are children, but they are using an internet that was not designed for them”.

In this context, the importance of setting clear guardrails for businesses who interact with children online has become apparent.  The Code seeks to fulfil this need through the promotion of 15 flexible standards of ‘age appropriate design’ that have been created to reflect the special privacy safeguards children require when online.

The Children’s Code is not new law, but a statutory Code of Practice under the Data Protection Act 2018. The Code was laid before Parliament on 11 June 2020, under s. 125(1)(b) of the DPA. The Code was then issued on 12 August 2020 by the ICO, however enforcement of the Code was delayed for one year under a transition period designed to give businesses time to get to grips with the Code.

What does the Code say?

In essence, the Code explains how the UK General Data Protection Regulation, the Data Protection Act and the Privacy and Electronic Communications Regulations apply to the design and delivery of ‘information society services’ (“ISS”) (which encompasses everything from social media platforms, through educational platforms, to online games) to children.  In line with the extra-territorial scope of those laws, it applies to both UK-based companies and non-UK companies who process the personal data of UK children in the context of an ISS.

At the heart of the code are 15 standards that the ICO asks businesses to adhere to when designing online services that are targeted – either wholly or in part – at children.   Many of these standards will be familiar to those with existing knowledge of UK data protection law as they directly echo underlying statutory requirements.  Others are more softly linked to statutory requirements, and reflect the ICO’s view on what constitutes fair and proportionate behaviour in the context of data protection law when it comes to a vulnerable group of data subjects such as young people.   Ultimately, the standards are cumulative and interlinked, and so in practice, they must all be observed:

  1. Best interests of the child should be the primary focus at all times;
  2. Data Protection Impact Assessments are to be undertaken whenever appropriate which, in relation to the processing of data concerning children, will be frequently;
  3. Age appropriate application, taking into account the specific age range and level of development of the intended audience;
  4. Transparency, which means being clear, open and honest with younger users in a way they will understand;
  5. Detrimental use of data (being any use of data that is obviously detrimental to children’s physical or mental health and wellbeing or that goes against industry codes of practice) is prohibited;
  6. Policies and community standards are to be upheld;
  7. Default settings must be ‘high privacy’;
  8. Data minimisation to be applied when collecting data from children;
  9. Data sharing should be limited, and non-routine data sharing will typically require a compelling reason to do so;
  10. Geolocation must be switched off by default;
  11. Parental controls are permitted and may be helpful, but it should be made transparent to the child that such controls are in place and whether the child is being tracked or monitored;
  12. Profiling is off by default;
  13. Nudge techniques (i.e. design features which lead or encourage users to follow the designer’s preferred paths in the user’s decision making) are discouraged;
  14. Connected toys and devices must conform with the Code; and
  15. Online tools must be accessible and prominent to help the child.

The Code fleshes out each standard in more detail, explaining its particular relevance, outlining the underlying legal obligations and providing practical tips on implementation.

Who does it impact?

The Code is aimed at ‘relevant information society services which are likely to be accessed by children.’ Whilst the definition of an ISS includes a requirement that it normally be provided for remuneration (therefore excluding public services and other non-profit activities), the scope of ISS providers in a commercial context is broad, and includes but is not limited to app developers, gaming companies, toy companies, social media platforms, educational apps and websites, and all media, TV and radio businesses.

What is the status of the Code (and what happens if I don’t comply)?

The Code is a statutory code of practice which the ICO is required to publish under the Data Protection Act.  It is only the second such code published under the 2018 Act, following on from the Data Sharing Code which came into force earlier in the Summer.

The Code formally sets out the ICO’s interpretation of how data protection law applies in this area.  It will therefore be the primary point of reference for the ICO when investigating and taking enforcement action against businesses operating online in relation to issues involving children.  Further, the Children’s Code can also be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant.

Therefore, whilst its recommendations are not themselves legally binding, compliance with the Code is strongly recommended.

Please get in touch with any member of the UK data protection team if you have any questions about the Code and it impact on your organisation.