Across Europe, nation states continue to develop new legislation, codes of practice and recommendations on data privacy. Despite being in a period of transition after leaving the EU, the UK is no exception. The Data Protection Act 2018 required the UK's Information Commissioner to prepare a number of Codes of Practice to provide guidance on specific types of data handling, including a Code of Practice on Standards of Age Appropriate Design (the AADC) for digital services which are likely to be accessed by users under 18.
The AADC contains 15 interconnecting provisions that set out the requirements online services must meet to make their services suitable for children. Topics include data minimisation and connected toys. When in force, the AADC will sit alongside data protection legislation to provide structure and detailed guidance to service operators' data privacy compliance efforts, and standards for the regulator to consider when determining the legality of processing activities.
The Code came into effect on 2 September 2020 with a 12-month transition period.
For many organisations, a year will be easily sufficient to prepare, but for others it will be a significant challenge – particularly for services that are not designed for children but are still likely to be accessed by them.
The ICO says that "likely" means the possibility of access by children is "more probable than not". But guidance does not yet clarify whether the AADC applies if it's more probable than not that a small number of children will access a service, even where they represent a tiny proportion of service users. In these situations, it seems likely that the site will be caught by AADC requirements. More ICO guidance is expected in the coming months, but organisations need to act now to meet the AADC standards within the 12-month grace period.
The AADC contains guidance on standards of age-appropriate design for information society services likely to be accessed by children, not just sites actively targeting children. This will prove challenging for many site operators since information society services of various sorts can be found across many sites, apps and portals covering a huge swathe of online activity.
The AADC is set to apply to users under the age of 18, in contrast to the GDPR, which largely focuses on the rights of under-16s when considering the special status of children and their need for protection. The AADC will create significant work for operators whose services do not target children but may be accessed by individuals of all ages – for example, news sites and aggregators which are likely to be accessed by older teenagers. They will need to work out what age range to pitch not only the policies and privacy notices but also the design and functionality of the whole site.
To learn more about how the Age Appropriate Design Code might affect your business, including the key compliance challenges it presents, register now for our webinar on 8 September 2020.