What's the issue?

The last few years have seen considerable focus on protecting people, especially children and other vulnerable people, from online harm. Regularly included in the list of online harms is the threat to privacy. While the GDPR does introduce additional protections for children's data under the UK's Data Protection Act 2018 (DPA18), the ICO was required to provide guidance to providers of digital and online services on how to handle children's personal data on their platforms, apps, portals and sites.

What's the development?

The ICO's Age Appropriate Design Code (AADC), also known as the Children's Code, came into force on 2 September 2020. It is a statutory Code of Practice which means its provisions cannot be directly enforced but the regulator will take them into account when taking enforcement action under the DPA18.

The AADC contains 15 standards for digital (information society) services likely to be accessed by children (under 18). This means it covers services which are not necessarily targeted at children but which are likely to be accessed by them. The standards set out the requirements that online service providers must meet to ensure their services are suitable for children, going beyond the strict confines of data protection.

What does this mean for you?

Compliance with the AADC will be a challenge for a number of reasons, not least because it covers such a wide range of services across sites, apps and portals. Another issue is that it is up to the service providers to assess how likely it is that under-18s will access them and to ensure the AADC as implemented works across a range of age groups.

Recognising this, the ICO has allowed a twelve month period before the AADC comes into effect to allow businesses time to comply. The ICO is expected to publish guidance to help SMEs shortly.

Find out more

Listen to our webinar on the Children's Code and you can read more about the AADC and how to handle children's personal data on our Global Data Hub.