The Children's Code comes of age – a conversation with the ICO

The Age Appropriate Design Code (the Children's Code) has now fully come into force, with the year-long transition period having ended earlier this month. Businesses operating in the UK are now obliged to comply with the requirements set out in the Children's Code.

The Children's Code, a statutory code of practice prepared by the Information Commissioner's Office (the ICO), applies where personal data is processed in the provision of digital services which are likely to be accessed by users aged under 18. With the Children's Code having now "come of age", the ICO is shifting its focus away from collaborative approaches and now more towards a supervisory role. 

Vinod Bange is joined by Jacob Ohrvik-Stott, Head of Regulatory Futures at the ICO, where he leads their work to deliver the Children’s Code and develop the ICO’s approach to horizon scanning. Prior to joining the ICO, Jacob worked for technology think tank Doteveryone leading research into tech regulation, the digital economy and public digital rights.

The Children's Code: the story so far

The Children's Code is by design a broad code of practice, intending to cover as much media as possible, including but not limited to websites, apps, online games and digital wearables. Grounded in the UN Convention on the Rights of the Child (the UCRC), the Code articulates existing UK legislation, namely the UK General Data Protection Regulation (UK GDPR) and covers 15 interlinked standards spanning certain core principles, service design and high-risk data processing, enabling the fair processing of children's data.

• 11 June 2020: The Children's Code is laid before Parliament.
• 3 July 2020: Impact assessment is submitted to Government.
• 21 July 2020: Parliamentary scrutiny completed.
• 2 September 2020: Beginning of the transition period. ICO opted for the maximum, one-year transition period to give online services as much time as possible to implement the Children's Code.
• 2 September 2021: End of the transition period.

In previous discussions of the Children's Code, at the end of March 2021 attendees thought the following:

• "Do you think the Children's Code will apply to your business?" – significant majority agreed.
• "Are key stakeholders in your business already aware of the Code?" – two-thirds stated that their key stakeholders were partially aware, but that more engagement and awareness was required.
• "Can your business achieve compliance by the end of the transition period?" – two-thirds thought this was achievable but that they would need a clear programme of change (with the rest being unsure).
• "Have you conducted an assessment of the scope of your services and products that are caught by the Code?" – most said yes, but at a high level only.
• "Does the Code have extraterritorial impact?" – most agreed.
• "Does the Code require to adopt age-gating?" – 70% thought this was a possibility but required further assessment, with 25% in full agreement.
• "What more could ICO do?" – half thought that ICO could provide specific feedback on more key areas and their approach to enforcement. A further 40% wanted ICO to provide more guidance.

There is further scope for individuals and businesses to gain more knowledge of the Children's Code, namely by increasing stakeholder awareness and engagement.

End of the transition period: what now?

As well as helping individuals and businesses understand what is meant by the "best interests of the child" in reference to the UNCRC and reviewing how data impacts on children's rights, ICO offers support by way of Data Protection Impact Assessments (DPIAs) for online retail, gaming and connected device scenarios, as well as providing explanatory content in the form of deep-dive blogs, introductory webinars, industry case studies and commissioned academic articles. ICO also provides support for organisations through formal schemes such as the ICO Sandbox, business advice and certifications, including a Children's Code-specific certificate.

In conjunction with design agency Big Motive, design guidance is a key avenue in ICO maintaining its engagement with organisations and providing insight into how the Children's Code will look in practice. ICO's Transparency Champions Open call set out a series of lessons for transparency design for children, grounded in stakeholder consultation. ICO's design guidance also comprises guidelines and patterns in terms of what ideas should be emulated or avoided, as well as providing practical tools by way of workshops for people to map out different privacy moments.

The road ahead – a shift in focus

ICO is now shifting its attention towards supervision. Over the next 6 months, ICO's supervision will prioritise its focuses on the gaming, social media and streaming services sectors, looking into scoping its audits and with plans to progress enforcement actions. ICO will publish detailed guidance on age assurance and age-appropriate application in the coming months this year, focusing on practical applications and providing advice on how to interpret risk levels, as well as continuing its commitment to review the impact of the Children's Code in September 2022 (which will include various exercises such as further discussions with industry).

There is nonetheless an understanding that queries will persist and the ICO will continue parts of its engagement with industry. Furthermore, Ofcom, the CMA and more recently the FCA have worked together in traversing digital regulation issues as of late which is a key avenue in continuing ICO's collaborative approaches.

Questions for ICO

• With the growing interest in using legal design to improve the transparency of privacy notices and related documentation, many lawyers may be nervous with replacing traditional terminology at risk of increasing their clients' liability. Therefore, by moving towards non-traditional legal design, will this cause problems moving forwards?
• Some businesses, such as digital news media, have broad applications that older teenagers may use (albeit as a small proportion of the user base). In terms of %s, what are the thresholds in meeting the requirements of the Children's Code?
• There's a risk that some services will seek use of parental consent to avoid the need to explain complex privacy content to children. How will ICO ensure this requirement isn't bypassed?
• How can the conflict between businesses acting in the best interests of children vs. best interests of the business itself be addressed?
• What age verification and assurance tools are ICO hoping to develop in the future?
• Most SMEs have never carried out DPIA or risk-based assessments. What can be done to help SMEs who have fewer resources to ensure compliance with the Code? Do SMEs risk being opened up to non-compliance by asking ICO for help?
• How much scope is there for businesses and industry to provide feedback ahead of the 2022 review?