Child Data Privacy Code

The ICO have published the final version of its Age Appropriate Design Code (“the code”), which sets out the standards that online services need to meet in order to protect children’s privacy. It applies to providers of information services likely to be accessed by children in the UK, including applications, programs, websites, social media platforms, messaging services, games, community environments and connected toys and devices, where these offerings involve the processing of personal data. The ICO expects the transition period to end by autumn 2021, and has said that it is preparing a significant package of support for organizations as they work towards compliance.

The code sets out 15 flexible standards of age appropriate design for online services. These standards focus on providing “high privacy” default settings, transparency to children with regard to active location tracking and parental controls, and minimized data collection and use, while prohibiting nudge techniques that could encourage children to reveal more personal details and profiling that automatically recommends sexual or violent content to children based on their searches. The standards are noted below:

1. Best interests of the child
2. Data protection impact assessments
3. Age appropriate application
4. Transparency
5. Detrimental use of data
6. Policies and community standards
7. Default settings
8. Data minimisation
9. Data sharing
10. Geolocation
11. Parental controls
12. Profiling:
13. Nudge techniques
14. Connected toys and devices
15. Online tools

The code has published in accordance with the ICO’s obligation under section 123 of the Data Protection Act 2018 to prepare a code of practice on standards of age appropriate design for online services likely to be accessed by children.

The code adds that organizations should take a common sense approach when assessing this likelihood, taking into account the nature and content of the service, and its appeal to children, as well as the accessibility of the service to children.

The code states in its foreword: “For all the benefits the digital economy can offer children, we are not currently creating a safe space for them to learn, explore and play. This statutory code of practice looks to change that, not by seeking to protect children from the digital world, but by protecting them within it.”

The ICO describes the standards as “flexible,” but emphasizes that, “conforming to the standards in this code will be a key measure of your compliance with data protection laws.” Once the code takes effect, online services within the scope of the code would have 12 months to become compliant. If implemented, violators could face fines of up to 4% of their global revenue.

Written by Hasnath Ahmed, Solicitor