The UK Information Commissioner’s (ICO) Age Appropriate Design Code (more commonly known as the Children’s Code) is a statutory code of practice grounded in the provisions of the United Nations Convention on the Rights of the Child (UNCRC) and aims to create an open, transparent and safer place for children to explore, learn and play online with their best interests in mind.
The Code supports compliance with the General Data Protection Regulation (GDPR) by setting out standards that organisations should adhere to in respect of online services which are likely to be accessed by children and which are typically on a for profit basis. Organisations which fall within the scope of, but do not conform with, the Code, which came into force on 2 September 2021, are unlikely to be able to demonstrate that their processing of children’s personal data is compliant with the GDPR. Such organisations inevitably risk regulatory action from the ICO, such as fines.
The Code is having a global impact. Shortly after the ICO published its draft Code in August 2020, the Irish Data Protection Commission published its own draft Fundamentals for a Child-Oriented Approach to Data Processing on 18 December 2020. The Code focuses more heavily upon privacy by design features than the Fundamentals, but both follow similar principles. On 30 June 2021, US Senator Edward J. Markey and Members of Congress Kathy Castor and Lori Trahan, called upon Amazon, Facebook, Google, Snap, Tik Tok and Twitter to voluntarily adopt the standards in the Code for children in the US.
Who does the Code apply to?
The Code applies to “relevant information society services [ISS] which are likely to be accessed by children” aged under 18 in the UK, whether or not the organisation is established in or outside the UK.
ISS are: “any service normally provided for renumeration, at a distance, by electronic means and at the individual request of a recipient of services”, such as apps, connected toys and devices, content streaming (e.g. music and video) services, educational or news websites, online games and marketing and marketplaces and messaging, programs, search engines, social media platforms and any websites offering other goods or services to users over the internet.
What does the Code consist of?
The Code sets out 15 flexible, interlinked and risk-based standards for ISS providers to conform to. These standards correspond to compliance with accountability, data minimisation, data protection by design and by default, data protection impact assessment (DPIA), fairness, lawfulness and transparency, individual rights and purpose limitation requirements under the GDPR. The standards can be grouped into 3 thematic areas as follows; please note that the numbering of the standards corresponds to that in the Code.
| Core principles | Service design | Data processing |
| (1) Best interests of the child should be a primary concern. | (4) Transparency by ensuring privacy information is clear and prominent. | (6) Policies and community standards to ensure organisations do what they say. |
| (2) DPIAs should be completed. | (10) Geolocation should be apparent when used and switched off by default. | (7) Default settings to switch off unnecessary processing. |
| (3) Age appropriate application to ensure services account for needs of children across age ranges. | (11) Parental controls should be clearly apparent when active. | (9) Data sharing should not occur without a compelling reason. |
| (5) Detrimental use of data to wellbeing should be avoided. | (13) Nudge techniques should not be used to erode privacy. | (12) Profiling should have appropriate safeguards and switched off by default. |
| (8) Data minimisation by only collecting necessary personal data. | (15) Online tools to exercise rights should be accessible, tailored and prominent. | (14) Connected toys and devices should be clear about data protection responsibilities and avoid passive data collection. |
It may be helpful to consider our previous article on dark patterns for additional guidance in regard to what the ICO may regard as a privacy-eroding nudge technique.
What steps need to be taken to comply?
In light of this, it is important that organisations:
- establish whether or not they provide ISS within the scope of the Code (a flowchart is set out as guidance in this regard in Annex A of the Code);
- establish (for example, via market research and user testing) whether or not their ISS are likely to be accessed by children under 18, to a level of certainty appropriate to the risks to the rights and freedoms of those children;
- take a risk-based approach to recognising the age of individual users and effectively apply the standards in the Code to child users, in particular by undertaking a DPIA (a template is set out in Annex D of the Code) which also maps out the processing of children’s data and associated user journeys;
- plan to improve wellbeing for all users rather than find ways to unnecessarily exclude children from ISS, for example simplifying privacy notices so that they can be understood by all users; and
- develop a transformation plan which engages all relevant internal and external (for example, parents and children) stakeholders, and privacy by design guidance.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations in respect of due diligence. We offer a range of data governance services. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support. For more information, please feel free to contact our advisers, who would be more than happy to help.
