Age Appropriate Design Code

Share This Post

On the 12th of August, the ICO issued their Age Appropriate Design Code after it was laid before Parliament for approval. The Code comes into force on the 2nd September, with a 12 month transition period. The Code is aimed at any online service which is aimed at, or likely to be used, by children and requires the service provider to apply 15 “standards of age appropriate design”:

  1. The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child
  2. Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, which arise from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code
  3. Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead
  4. The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent, and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated
  5. Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or Government advice
  6. Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies)
  7. Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child)
  8. Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate
  9. Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child
  10. Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others should default back to ‘off’ at the end of each session
  11. If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored
  12. Switch options which use profiling ‘off’ by default (unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing)
  13. Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections
  14. If you provide a connected toy or device, ensure you include effective tools to enable conformance to this code
  15. Provide prominent and accessible tools to help children exercise their data protection rights and report concerns

The standards apply to the majority of online services used by children, such as apps, programs and websites “including search engines, social media platforms, online messaging or internet based voice telephony services, online marketplaces, content streaming services (eg video, music or gaming services), online games, news or educational websites, and any websites offering other goods or services to users over the internet… [plus] Electronic services for controlling connected toys and other connected devices”. The Code does not apply to services provided by public authorities, “brochure” websites about a business, traditional voice telephony, general broadcast services (e.g. scheduled TV and radio programs) or preventative or counselling services.

Businesses impacted by the Code have until the 2nd September 2021 to implement the recommended standards and should put in place systems to support and demonstrate compliance with the Code (as well as data protection). Whilst the Code is not legal binding the ICO point out:

[if] you don’t conform to the standards in this code, you are likely to find it more difficult to demonstrate that your processing is fair and complies with the GDPR and PECR. If you process a child’s personal data in breach of the GDPR or PECR, we can take action against you

We’re running a free webinar to cover the basics of the Code, its standards and what those organisations effected should be doing before 2nd September 2021.

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy