ICO publishes its Code for age appropriate design of online services used by children

ICO age appropriate design code

Share This Post

The ICO have now published their final version of their Age Appropriate Design Code of Practice for Online Services. The Code is a statutory one in the sense the ICO are obliged by law to produce it. In terms of enforcement action, the ICO could use the Code against any applicable service, if they do not follow it, as failure to follow the Code means the service is unable to demonstrate their compliance if they’re not following best practice.

However, the Code still needs to be approved by Parliament and judging by the ICO’s blog post about the Code, they’re not expecting that to happen till later this year. There will be a 12 month implementation period by which services are expected to apply the Code to their service (which the ICO says means it’s likely services will need to be compliant with the Code by Autumn 2021).

Here’s a summary of the relevant bits, although the full code can be found here:

  • Relevant services covered by the Code include any online service used by or likely to be used by children which results in the processing of their data. This includes online services like websites, apps, messaging services, social media, etc.
  • A child is defined as a person under 18
  • Applies to all services based in the UK, and to non-UK services who have a branch or office in the UK or if the non-UK service is targeted to UK children
  • The Code applies to existing services as well as new ones
  • The Code includes 15 “standards of age appropriate design”. These standards should be built into the service provision:
    1. The service should be processing data with the best interests of the child, meaning “supporting the child’s need for safety, health, wellbeing, family relationships, physical, psychological and emotional development, identity, freedom of expression, privacy and agency to form their own views and have them heard”. To achieve this the service must consider how the processing of personal data keeps the child safe from exploitation, protects and supports their health and wellbeing, their physical and psychological development, their need to develop their own identity and views. The service should also support the needs of children with disabilities, support the needs in parents supporting their child in protecting their best interest.
    2. A DPIA must be carried out which assesses and considers the mitigation of risks to children from the use of the service
    3. Take a risk based approach to recognising the age of the user so the service can identify whether a user is a child or not
    4. Be open and transparent about the processing of the data. So, this means that privacy policies, published terms and community standards must be “prominent, and in clear language suited to the age of the child” and provide “‘bite sized’ explanations about how personal data is used, at the point that use is activated. In practice this means services will need to provide clear privacy information, provide additional snippets of information when personal data is being used (e.g. to explain the implications of providing the data and confirming they are OK with it), provide clear terms of service and policies all provided in a way that a child would understand (the ICO provide some guidance on what is appropriate for what age ranges)
    5. Don’t process a child’s personal data in a way that is “detrimental to their wellbeing” or go against best practice or other legislative requirements. Of particular relevance will be best practice around marketing to children for example
    6. Services must uphold their policies and procedures for the service, or in other words, if they say a user will/won’t do something or if they have terms about unacceptable behaviour they will need to be able to show they enforce these
    7. Any settings must be “high privacy” by default to protect the privacy of the child by default unless the child opts to change these settings themselves
    8. “Collect and retain only the minimum amount of personal data you need” and give the child options over which elements of data they wish to provide at specific points (e.g. don’t ask for everything if some of the data you require will only be needed if the child chooses to use a part of the service that requires specific data at that point)
    9. Don’t share children’s data unless there is a compelling reason to do so
    10. Switch geolocation options off by default and be clear to the child if location tracking is active
    11. If the service provides parental controls (i.e. so a parent can place limits on a child’s activity) give the child age-appropriate information about this and make sure the child is made aware if the parent is able to track their location or can be monitored
    12. Any profiling options should be off by default and only profile if appropriate measures are in place to protect the child from any “harmful” outcomes from the profiling
    13. Do not use “nudge techniques” to encourage children to provide unnecessary data or turn off privacy protections
    14. If the service is a connected toy or device make sure they adhere to the Code
    15. Provide tools to help children exercise their rights (e.g. access, rectification, erasure, etc.)
  • Service providers will be expected to put systems in place to support and demonstrate their adherence with the Code standards

In practice the Code applies a lot of common GDPR practices when a child’s data is being processed, so a lot of what is required should be being done anyway.

Whilst the Code has yet to be ratified by Parliament, you would be best placed to start getting a plan in place to ensure you meet the requirements of the Code as I suspect it’s unlikely it will change much between now and Parliament reviewing it.

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy