The Children's Code – getting ready for compliance

The Age Appropriate Design Code (the "Children's Code") came into force on 2 September 2020. With the year-long transition period more than halfway through, time is running out for organisations doing business in the UK to make sure they comply with the requirements of the Children's Code.

The Children's Code will apply where personal data is processed in the provision of digital services which are likely to be accessed by users under 18 (a much broader range of services than those explicitly designed for or targeting under 18s).

It is a statutory code of practice, prepared by the Information Commissioner's Office (the "ICO and is the first of its kind in Europe, designed to specifically address the handling of children's personal data. 

The Children's Code contains 15 interconnecting standards that set out the requirements online services must meet to make their services suitable for children. Topics include data minimisation, parental controls, and connected toys. The Children's Code sits alongside data protection legislation (the Data Protection Act 2018 and the UK GDPR) to provide structure and detailed guidance to service operators' data privacy compliance efforts, and standards for the regulator to consider when determining the legality of processing activities.

What sort of services are captured by the Children's code?

The code contains guidance on standards of age-appropriate design for information society services likely to be accessed by children, not just sites actively targeting children. This will prove challenging for many site operators since information society services of various sorts can be found across many sites, apps and portals covering a huge swathe of online activity.

The Children's Code will create significant work for operators whose services do not target children but may be accessed by individuals of all ages – for example, news sites, social media sites, and aggregators which are likely to be accessed by older teenagers. They will need to work out what age range to pitch not only the policies and privacy notices but also the design and functionality of the whole site.

Will this apply to my organisation?

The ICO says that a service is "likely" to be accessed by under 18s if the possibility is "more probable than not". But despite the publication of some helpful guidance it is still not clear how this assessment should be made and organisations will have to undertake their own reviews and risk assessments using their own judgement. More ICO guidance may be available in the coming months, but organisations need to act now to meet the Children's Code standards before the 2 September 2021 deadline. 

For many organisations, a review of policies and data gathering procedures will indicate some changes that can be easily made, but for others, compliance with the Children's Code will be a significant challenge – particularly for services that are not designed for children but are still likely to be accessed by them.

What does the Children's Code require us to do?

• To meet the 15 standards, many organisations will need to undertake significant assessments of their services and their user base; some form of audit or review is the first step to making that assessment and it is crucial that the right people are involved in the process from the beginning.
• The requirements of the Children's Code should be factored into the product and service design and development process now including any data privacy impact assessments, as part of the privacy by design and default approach.
• Once issues are identified, time and resources should be allocated to resolving them, but the decisions won't always be straightforward. The need to verify user age may conflict with a desire to minimise the collection of user data and the rights of children to privacy even against their own parents in some cases, are difficult to protect while ensuring online safety. All decisions should be recorded in detail for future reference and mitigation.