The Children’s Code came into force on 02 September 2020 with a 12-month transition period. Therefore, the deadline has now passed for organisations to ensure compliance.
Who does the Code apply to?
It is important to note that the Code is not restricted to services specifically directed at children. The Code applies to you if you provide information society services (ISS). For example, if you provide online products or services that process personal data and are likely to be accessed by children, including:
- search engines
- social media platforms
- streaming services
- news or educational websites
- community environments
- connected toys or devices with or without a screen
There are circumstances where the Code does not apply because the service being offered does not fall within the definition of an ISS. For instance, if a public authority provides an online public service that is not provided on a commercial basis, that service would not be deemed a relevant ISS and therefore, the Code will not apply.
The ICO has provided some guidance on the services that are covered by the Code and those that are exempt. The guidance can be accessed by clicking on the following link: https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services/services-covered-by-this-code/
What are the Code standards?
The Code sets out 15 standards that all ISS must comply with. We have provided details of each in the table below:
||How to comply
|Best interest of the child
||The best interests of the child should be a primary consideration when designing and developing online services that are likely to be accessed by a child.
|Data protection impact assessments (DPIA)
||Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service.
||Take a risk-based approach to recognise the age of individual users and apply the standards set out in this table.
||Information provided to users (including your policies and community standards) must be concise, transparent and suited to the age of the child.
|Detrimental use of data
||Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, regulatory provisions or Government advice.
|Policies and community standards
||Uphold your own published terms, policies and community standards.
||Unless you can demonstrate a compelling reason for a different default setting, settings must be ‘high privacy’ by default.
||Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged.
||Children’s data should not be disclosed unless you can demonstrate a compelling reason to do so, whilst taking into account the best interests of the child.
||Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking into account the best interests of the child). Options that make a child’s location visible to others must default to ‘off’ at the end of each session.
||If you provide parental controls, give the child age-appropriate information about this and let them know they are being monitored.
||You should only allow profiling if you have appropriate measures in place to protect the child from any harmful effects and switch options that use profiling ‘off’ by default unless you have a compelling reason not to do so.
||Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
|Connected toys and devices
||If you provide a connected toy or device ensure you include effective tools to enable conformance to the Code.
||Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
What happens if you are not compliant?
As part of the Data Protection Act (DPA) 2018, non-compliance with the Age Appropriate Design Code will be treated in much the same manner as violations against other sections of the Act, depending upon the severity of the violation. The ICO’s enforcement methods include:
- orders to cease processing of data
- mandatory data protection audits
- fines of up to 4% of a company’s turnover
If you have not already done so, you should start reviewing your existing services to establish whether they are covered by the Code. If they are covered, you should review your existing DPIA or conduct a new one as soon as possible.
When conducting the DPIA, you should focus on assessing conformance with the standards in the Code and identifying any additional measures necessary to conform.
With the compliance deadline now passed, applicable changes to the service should be made as a matter of urgency.