On 22 January 2020, the ICO published its Age Appropriate Design: a code of practice for online services. The Code is meant to support compliance with the general principles of the existing data protection legislation (DPA 2018, PECR and GDPR) by setting out specific safeguards that apply to the processing of children’s personal data and providing guidance to organisations offering online services and apps likely to be accessed by children in the U.K..
Scope of application
The Code will apply to all relevant information society services (ISS) meaning ‘any service normally provided by an organisation or individual for remuneration, at a distance by electronic means and at the individual request of a recipient of services’, that are likely to be accessed by children in the U.K., irrespectively of whether or not the provider has its establishment in the U.K. While excluding from its scope of application preventive or counselling services, the ICO specifies that the Code will also cover ‘not-for-profit apps, games and educational sites’ as long as these services can be considered ‘economic activities’ in a more general sense.
Importantly, the Code defines children as every individual under 18. This means that the ICO is now aligning the definition to the UN Convention on the Rights of the Child, rather than remaining aligned to other age-specific data-protection requirements, such as the 13-year-old threshold for consent as a valid lawful basis.
Content of the Code
The Code is composed of 15 interconnected ‘standards of age-appropriate design’. The meaning of each standard and their wider significance in the general data protection context are provided by the ICO together with practical guidance on how to implement them. Being both cumulative and interdependent, every one of these standards must be implemented by relevant online service providers:
- Best interests of the child
- Data protection impact assessments
- Age appropriate application
- Detrimental use of data
- Policies and community standards
- Default settings
- Data minimisation
- Data sharing
- Parental Controls
- Nudge techniques
- Connected toys and devices
- Online tools
In short, the Code prescribes that, when designing and developing online services that are likely to be accessed by children, the child’s best interest should be the primary consideration. Risks of child exploitation should be continuously assessed and mitigated through an early stage Data Protection Impact Assessment. This entails that online service providers within the scope of the Code automatically become controllers of processing operations that are ‘likely to result in a high risk to the rights and freedoms’ of children.
According to the Code, online services will be required to tailor data protection measures and privacy notices information in accordance with the age of data subjects. Therefore, the determination of the age of the user basis through ‘robust age verification mechanisms’ will play a central role in successfully implementing the Code though this will continue to be a challenge. Furthermore, the Code recommends the use of ‘bite-sized’ and ‘just in time’ notices that are shown whenever the data processing is triggered. This will heavily impact the overall User Experience and User Interfaces of websites, creating further challenges for UX designers.
The Code will also require that all settings of an online service that are likely to be accessed by children must be set to ‘high privacy’ by default. Specifically, in relation to ancillary features (i.e., processing operations that are not essential to the provision of the core service that the child has requested) like personalisation, profiling and geolocation, online services should ensure that these are turned off by default. When the user deviates from the default settings, the Code encourages the use of nudge-techniques to remind data subjects the significance of their choices. In addition, transfers of children’s personal data to third parties must be avoided, unless there are compelling reasons to do so.
Timings and legal status
The Code will soon be notified to the European Commission as a Technical Standard, resulting in a three-month standstill period (Brexit will have no impact on this process, since the Code has been published before exit day). It will then be laid before the UK Parliament for 40 days. Following these steps, an additional twelve-month grace period will apply, making it effectively applicable from Autumn 2021.
Being a statutory code of practice under Section 123 of the UK Data Protection Act 2018, once the Code enters into force, the ICO will start taking it into account when assessing GDPR and PECR compliance of online service providers. Once it will become legally enforceable, the ICO will have the power to stop processing operations related to children’s personal data and issue fines of up to £17million or 4% of global turnover.
How to react
Organisations who provide services that are likely to be accessed by children in the U.K. should start getting ready for the implementation of the Code and take advantage of the time they will have to get ready.
In order to do so, Trilateral advises the following:
- Determine the age range of your user base, even if you are not directly targeting children;
- Develop accessible privacy information and notices through different channels and media, beyond the textual (the use of animated videos and infographics, which are particularly effective in delivering tailored information to children);
- Assess the risk of your processing operations related to children’s personal data through an early-stage DPIA with an appropriately low level of risk tolerance;
- Address the identified risk areas with suitable technical and organisation measures that are specifically tailored to the age range of your users.
Trilateral has experience in providing assistance in each one of the above-mentioned steps. As such, we can help you prepare for the implementation of the Code and assess the risk your processing may pose to children and your organisation. For further information, please feel free to contact one of our advisors at the Data Governance and Cyber-Risk Team.