The Age Appropriate Design Code – the GDPR gets specific

We already have the GDPR, so what is this new code for?

Across Europe, nation states continue to develop new legislation, codes of practice and recommendations on data privacy. Despite being in a period of transition after leaving the EU, the UK is no exception. The Data Protection Act 2018 required the UK's Information Commissioner to prepare a number of Codes of Practice to provide guidance on specific types of data handling, including a Code of Practice on Standards of Age Appropriate Design (the AADC) for digital services which are likely to be accessed by users under 18.

The AADC contains 15 interconnecting provisions that set out the requirements online services must meet to make their services suitable for children. Topics include data minimisation and connected toys. When in force, the AADC will sit alongside data protection legislation to provide structure and detailed guidance to service operators' data privacy compliance efforts, and standards for the regulator to consider when determining the legality of processing activities.

The Code came into effect on 2 September 2020 with a 12-month transition period.

How do we prepare?

For many organisations, a year will be easily sufficient to prepare, but for others it will be a significant challenge – particularly for services that are not designed for children but are still likely to be accessed by them.

The ICO says that "likely" means the possibility of access by children is "more probable than not". But guidance does not yet clarify whether the AADC applies if it's more probable than not that a small number of children will access a service, even where they represent a tiny proportion of service users. In these situations, it seems likely that the site will be caught by AADC requirements. More ICO guidance is expected in the coming months, but organisations need to act now to meet the AADC standards within the 12-month grace period.

When is a child a child under the AADC?

The AADC contains guidance on standards of age-appropriate design for information society services likely to be accessed by children, not just sites actively targeting children. This will prove challenging for many site operators since information society services of various sorts can be found across many sites, apps and portals covering a huge swathe of online activity.

The AADC is set to apply to users under the age of 18, in contrast to the GDPR, which largely focuses on the rights of under-16s when considering the special status of children and their need for protection. The AADC will create significant work for operators whose services do not target children but may be accessed by individuals of all ages – for example, news sites and aggregators which are likely to be accessed by older teenagers. They will need to work out what age range to pitch not only the policies and privacy notices but also the design and functionality of the whole site.

What does the AADC require us to do?

• To meet the 15 AADC standards, many organisations will need to undertake significant assessments of their services and their user base.
• For most organisations, some form of audit or review is the first step to making that assessment – it is crucial that the right people are involved in the process from the beginning.
• The requirements of the AADC should be factored into the product and service design and development process now, as part of the privacy by design and default approach.
• Once issues are identified time and resources should be allocated to resolving them, but the decisions won't always be straightforward. The need to verify user age may conflict with a desire to minimise the collection of user data and the rights of children to privacy even against their own parents in some cases, are very difficult to protect while ensuring online safety. All decisions should be taken carefully and recorded in detail for future reference and mitigation.

Find out more

To learn more about how the Age Appropriate Design Code might affect your business, including the key compliance challenges it presents, register now for our webinar on 8 September 2020.