The Age Appropriate Design Code (“Code”), a new statutory Code of Practice published by the UK Information Commissioner’s Office (“ICO”), enters into force today (2 September 2021) following a one year transition period. The Code seeks to regulate the provision of online services to children, providing influential guidance to businesses regarding how to build such services in a way that complies with UK data protection law.
It is a fact of modern life that the average child spends significant amounts of time online, often from a very early age. This is a trend that has become particularly pronounced over the course of the Covid-19 pandemic, as everything from the delivery of education to socialising with friends has, as a matter of necessity, become increasingly digital. However, as the ICO highlights: “One in five UK internet users are children, but they are using an internet that was not designed for them”.
In this context, the importance of setting clear guardrails for businesses who interact with children online has become apparent. The Code seeks to fulfil this need through the promotion of 15 flexible standards of ‘age appropriate design’ that have been created to reflect the special privacy safeguards children require when online.
The Children’s Code is not new law, but a statutory Code of Practice under the Data Protection Act 2018. The Code was laid before Parliament on 11 June 2020, under s. 125(1)(b) of the DPA. The Code was then issued on 12 August 2020 by the ICO, however enforcement of the Code was delayed for one year under a transition period designed to give businesses time to get to grips with the Code.
What does the Code say?
In essence, the Code explains how the UK General Data Protection Regulation, the Data Protection Act and the Privacy and Electronic Communications Regulations apply to the design and delivery of ‘information society services’ (“ISS”) (which encompasses everything from social media platforms, through educational platforms, to online games) to children. In line with the extra-territorial scope of those laws, it applies to both UK-based companies and non-UK companies who process the personal data of UK children in the context of an ISS.
At the heart of the code are 15 standards that the ICO asks businesses to adhere to when designing online services that are targeted – either wholly or in part – at children. Many of these standards will be familiar to those with existing knowledge of UK data protection law as they directly echo underlying statutory requirements. Others are more softly linked to statutory requirements, and reflect the ICO’s view on what constitutes fair and proportionate behaviour in the context of data protection law when it comes to a vulnerable group of data subjects such as young people. Ultimately, the standards are cumulative and interlinked, and so in practice, they must all be observed:
- Best interests of the child should be the primary…