17 February 2020
– 3 of 5 Insights
Applies to information society services specifically directed at or likely to be accessed by children.
The Data Protection Act 2018 (DPA18) requires the UK's Information Commissioner to prepare a number of Codes of Practice to assist with specific types of data processing. S.121 requires the ICO to prepare a Code of Practice on standards of age appropriate design of relevant information society services which are likely to be accessed by children.
The Code owes its existence in large part to a number of campaigners who insisted on amendments to the DPA18 as it was going through Parliament. 5Rights, one of the most prominent groups, described the Code as "a new deal between children and the tech sector" adding "It will redress the balance between the needs and safety of children and the commercial interests of online services". In developing the draft Code the ICO was required to consult with relevant organisations as well as parents and children and to consider the UK's obligations as a signatory to the United Nations Convention on the Rights of the Child.
The ICO has published its final version (subject to Parliamentary approval) of its Age Appropriate Design Code of Practice for online services. The Code now has to be laid before Parliament. It will take effect following Parliamentary approval after which businesses will have twelve months to implement necessary changes.
The Code applies to providers of information society services – anyone providing online products or services, including apps, programs, websites, games or community environments and connected toys and services with or without a screen that process personal data and are likely to be accessed by children, search engines, streaming services, and news or educational websites (subject to limited exceptions).
The Code is not restricted to services specifically directed at children but applies to those likely to be accessed by children (ie where access by children is more probable than not).
The Code sets out 15 standards of age appropriate design reflecting a risk-based approach. The focus is on providing default settings which ensure children have the best access to online services while minimising data collection and use by default. It also aims to ensure children get the right information and guidance about changing their privacy settings and that their data is properly protected.
If you provide an information society service caught by the Code, you will have twelve months following Parliamentary approval, to comply with it. The Code is not restricted to services specifically directed at children but applies to those likely to be accessed by children (ie where access by children is more probable than not) so the first step is to decide whether or not you need to comply, preferably by carrying out a DPIA so you can demonstrate compliance.
One of the challenges is finding ways to comply with the Code while also respecting principles of data minimisation and it's worth remembering that the Code reaches beyond the confines of strict data protection issues to cover techniques which might (whether deliberately or not) encourage children to provide more personal data than they need to.
The 15 standards set out in the Code are:
See also our series of articles on children and personal data on the Global Data Hub.
12 February 2020
by Multiple authors
17 February 2020
by Multiple authors
17 February 2020
by Multiple authors
Long-awaited direct marketing Code of Practice published for consultation.
17 February 2020
by Multiple authors
eGaming and gambling addiction under the spotlight.
17 February 2020
by Multiple authors
by multiple authors