ICO publishes Age Appropriate Design Code of Practice

Applies to information society services specifically directed at or likely to be accessed by children.

What's the issue?

The Data Protection Act 2018 (DPA18) requires the UK's Information Commissioner to prepare a number of Codes of Practice to assist with specific types of data processing. S.121 requires the ICO to prepare a Code of Practice on standards of age appropriate design of relevant information society services which are likely to be accessed by children.

The Code owes its existence in large part to a number of campaigners who insisted on amendments to the DPA18 as it was going through Parliament. 5Rights, one of the most prominent groups, described the Code as "a new deal between children and the tech sector" adding "It will redress the balance between the needs and safety of children and the commercial interests of online services". In developing the draft Code the ICO was required to consult with relevant organisations as well as parents and children and to consider the UK's obligations as a signatory to the United Nations Convention on the Rights of the Child.

What's the development?

The ICO has published its final version (subject to Parliamentary approval) of its Age Appropriate Design Code of Practice for online services. The Code now has to be laid before Parliament. It will take effect following Parliamentary approval after which businesses will have twelve months to implement necessary changes.

The Code applies to providers of information society services – anyone providing online products or services, including apps, programs, websites, games or community environments and connected toys and services with or without a screen that process personal data and are likely to be accessed by children, search engines, streaming services, and news or educational websites (subject to limited exceptions).

The Code is not restricted to services specifically directed at children but applies to those likely to be accessed by children (ie where access by children is more probable than not).

The Code sets out 15 standards of age appropriate design reflecting a risk-based approach. The focus is on providing default settings which ensure children have the best access to online services while minimising data collection and use by default. It also aims to ensure children get the right information and guidance about changing their privacy settings and that their data is properly protected.

‍What does this mean for you?

If you provide an information society service caught by the Code, you will have twelve months following Parliamentary approval, to comply with it. The Code is not restricted to services specifically directed at children but applies to those likely to be accessed by children (ie where access by children is more probable than not) so the first step is to decide whether or not you need to comply, preferably by carrying out a DPIA so you can demonstrate compliance.

One of the challenges is finding ways to comply with the Code while also respecting principles of data minimisation and it's worth remembering that the Code reaches beyond the confines of strict data protection issues to cover techniques which might (whether deliberately or not) encourage children to provide more personal data than they need to.

Read more

The 15 standards set out in the Code are:

• Best interests of the child: should be a primary consideration when you design and develop services likely to be accessed by a child.
• DPIAs: should be carried out to mitigate risk. Take into account different ages, capacities and development needs.
• Age appropriate application: take a risk-based approach to recognising the age of individual users. Either establish age with a level of certainty or apply the standards in the Code to all users.
• Transparency: information has to be provided in a way which is suited to the age of the child. Provide specific bite-sized explanations about how you use personal data at the point that use is activated.
• Detrimental use of data: do not use children's personal data in ways that have been shown to be detrimental to their wellbeing or which go against industry codes of practice, other regulatory provisions or government advice.
• Policies and community standards: uphold your own published terms, policies and standards.
• Default settings: settings must be 'high privacy' by default (unless you can demonstrate a compelling reason for a different default setting, taking into account the best interests of the child).
• Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
• Data sharing: do not disclose children's data unless you can demonstrate a compelling reason to do so, taking into account the best interests of the child.
• Geolocation: switch geolocation options off by default (unless you can demonstrate a compelling reason for them to be switched on, taking into account the best interests of the child). Provide an obvious sign for children when location tracking is active. Where an option makes a child's location visible to others, it must default back to 'off' at the end of each session.
• Parental controls: children must be given age appropriate information about any parental controls. If a service allows parental monitoring or location tracking, an obvious sign must be given to the child when this is happening.
• Profiling: switch profiling options off by default (unless you can demonstrate a compelling reason not to taking account of the best interests of the child). Only allow profiling if appropriate measures are in place to prevent any harmful effects.
• Nudge techniques: do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
• Connected toys and devices: if you provide a connected toy or device, ensure you include effective tools to enable conformance to this code.
• Online tools: provide prominent and accessible tools to help children exercise their data protection rights and report concerns.

See also our series of articles on children and personal data on the Global Data Hub.