6. April 2021 | 1:02:14
The Age Appropriate Design Code (the "Children's Code") came into force on 2 September 2020. With the year-long transition period more than halfway through, time is running out for organisations doing business in the UK to make sure they comply with the requirements of the Children's Code.
The Children's Code will apply where personal data is processed in the provision of digital services which are likely to be accessed by users under 18 (a much broader range of services than those explicitly designed for or targeting under 18s).
It is a statutory code of practice, prepared by the Information Commissioner's Office (the "ICO and is the first of its kind in Europe, designed to specifically address the handling of children's personal data.
The Children's Code contains 15 interconnecting standards that set out the requirements online services must meet to make their services suitable for children. Topics include data minimisation, parental controls, and connected toys. The Children's Code sits alongside data protection legislation (the Data Protection Act 2018 and the UK GDPR) to provide structure and detailed guidance to service operators' data privacy compliance efforts, and standards for the regulator to consider when determining the legality of processing activities.
The code contains guidance on standards of age-appropriate design for information society services likely to be accessed by children, not just sites actively targeting children. This will prove challenging for many site operators since information society services of various sorts can be found across many sites, apps and portals covering a huge swathe of online activity.
The Children's Code will create significant work for operators whose services do not target children but may be accessed by individuals of all ages – for example, news sites, social media sites, and aggregators which are likely to be accessed by older teenagers. They will need to work out what age range to pitch not only the policies and privacy notices but also the design and functionality of the whole site.
The ICO says that a service is "likely" to be accessed by under 18s if the possibility is "more probable than not". But despite the publication of some helpful guidance it is still not clear how this assessment should be made and organisations will have to undertake their own reviews and risk assessments using their own judgement. More ICO guidance may be available in the coming months, but organisations need to act now to meet the Children's Code standards before the 2 September 2021 deadline.
For many organisations, a review of policies and data gathering procedures will indicate some changes that can be easily made, but for others, compliance with the Children's Code will be a significant challenge – particularly for services that are not designed for children but are still likely to be accessed by them.