We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award-winning law firm.

 

Visit our debt recovery website

The Children’s Code came into force on 02 September 2020 with a 12-month transition period. Therefore, the deadline has now passed for organisations to ensure compliance.  

Who does the Code apply to? 

It is important to note that the Code is not restricted to services specifically directed at children. The Code applies to you if you provide information society services (ISS). For example, if you provide online products or services that process personal data and are likely to be accessed by children, including: 

  • apps 
  • search engines 
  • social media platforms 
  • streaming services 
  • news or educational websites 
  • programs 
  • websites 
  • games 
  • community environments 
  • connected toys or devices with or without a screen

There are circumstances where the Code does not apply because the service being offered does not fall within the definition of an ISS. For instance, if a public authority provides an online public service that is not provided on a commercial basis, that service would not be deemed a relevant ISS and therefore, the Code will not apply 

The ICO has provided some guidance on the services that are covered by the Code and those that are exempt. The guidance can be accessed by clicking on the following link: https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/

What are the Code standards? 

The Code sets out 15 standards that all ISS must comply with. We have provided details of each in the table below:

Standard  How to comply 
Best interest of the child  The best interests of the child should be a primary consideration when designing and developing online services that are likely to be accessed by a child. 
Data protection impact assessments (DPIA)  Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service. 
Age-appropriate application  Take a risk-based approach to recognise the age of individual users and apply the standards set out in this table. 
Transparency  Information provided to users (including your policies and community standards) must be concise, transparent and suited to the age of the child.  
Detrimental use of data  Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, regulatory provisions or Government advice. 
Policies and community standards  Uphold your own published terms, policies and community standards. 
Default settings  Unless you can demonstrate a compelling reason for a different default setting, settings must be ‘high privacy’ by default. 
Data minimisation  Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged.  
Data sharing  Children’s data should not be disclosed unless you can demonstrate a compelling reason to do so, whilst taking into account the best interests of the child. 
Geolocation  Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking into account the best interests of the child). Options that make a child’s location visible to others must default to ‘off’ at the end of each session. 
Parental controls  If you provide parental controls, give the child age-appropriate information about this and let them know they are being monitored. 
Profiling  You should only allow profiling if you have appropriate measures in place to protect the child from any harmful effects and switch options that use profiling ‘off’ by default unless you have a compelling reason not to do so. 
Nudge techniques  Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections. 
Connected toys and devices  If you provide a connected toy or device ensure you include effective tools to enable conformance to the Code. 
Online tools  Provide prominent and accessible tools to help children exercise their data protection rights and report concerns. 

What happens if you are not compliant?

As part of the Data Protection Act (DPA) 2018, non-compliance with the Age Appropriate Design Code will be treated in much the same manner as violations against other sections of the Act, depending upon the severity of the violation. The ICO’s enforcement methods include:

  • orders to cease processing of data
  • mandatory data protection audits
  • fines of up to 4% of a company’s turnover

Next steps 

If you have not already done so, you should start reviewing your existing services to establish whether they are covered by the Code. If they are covered, you should review your existing DPIA or conduct a new one as soon as possible.  

When conducting the DPIA, you should focus on assessing conformance with the standards in the Code and identifying any additional measures necessary to conform. 

With the compliance deadline now passed, applicable changes to the service should be made as a matter of urgency.

Should you require any support with complying with the Code or wish to discuss the requirements of the Code further, please call us on 01332 226 130 or complete the form below. 

SHARE

Share

Scroll to next section

Scroll back to the top

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information on how these cookies work, please refer to our Cookies Policy.

Strictly necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our website. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous.

Force24 cookies & tracking

This website utilises Force24’s marketing automation platform. Force24 cookies are first-party cookies and are enabled at the point of cookie acceptance on this website. The cookies are named below:

F24_autoID
F24_personID

They allow us to understand our audience engagement thus allowing better optimisation of marketing activity.