The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Dear Baroness Kidron,

Many thanks for your letter of 08 October and its accompanying annex relating to the evidence gathering by 5Rights in relation to the ICO’s age appropriate design code (Children’s code).

It is encouraging to see the deep dive that 5Rights have done on the code’s influence in the lead up to its coming into force. I have always said that the Children’s code will be a game changer in terms of protecting children’s data; a group in society that need specific protection and attention when navigating the online world. The code shows data protection’s potential at its best; a forward-thinking innovative driver for proportionate protections that enhance society’s engagement with the digital world. Regulating data protection law is ultimately about real people suffering real impacts when organisations get their obligations wrong; this is crucially important when it comes to our children.

It is thus important that we see evidence of behavioural and process change by those engaged in online services under the scope of the Children’s code. Now that the transition period is over as of 02 September 2021, and we must consider the code when determining compliance with data protection law, the ICO is presently conducting an evidence gathering process to identify conformance with the code, and thus compliance with the underlying data protection law. In this process, the ICO is taking a systemic approach; we are focusing our interventions on operators of online services where there is information which indicates potential poor compliance with privacy requirements, and where there is a high risk of potential harm to children.

I recognise the detailed work that 5Rights undertook earlier this year, as presented in your letter’s annex, outlining specific cases of non-conformance against thematic areas of concern. I hope you will recognise that as a regulator, the ICO will always face tough choices on how to deploy our limited resources. As such, this is why our initial focus is on those cases of greatest potential harm with non-conformance across multiple standards. Based on that potential for high risk, our focus is currently on the following sectors: social media and messaging; gaming; video content and music streaming. The ICO must also be careful not to apply the code’s standards retrospectively; as such our evidence gathering must be time-bound to the period 02 September 2021 onwards.

I note that you raise three overarching concerns on page 1 of your letter; namely:
- Disparity of approach to conformance across organisations in scope of the Children’s code
- The apparent lack of action to change practices towards conformance by certain sectors, in particular you mention the gaming sector
- The interpretation of the code as a set of individual standards rather than a holistic package of protections

I hope that by providing some more context to the work we are undertaking that these concerns may be addressed. At present, we are reviewing information returned to us by a range of companies across the potential high risk sectors I outlined above, to determine their standards of conformance individually and as sectors since the end of the code’s transition period. We have written to 40 organisations across the three sectors. We are going to write to a further nine companies who are referenced in your letter. We anticipate that we will receive responses from all the organisations by the end of December.

We anticipate that the nature of the information gathered by the ICO during this exercise will enable us to assess standards of conformance in relation to the vast majority of the thematic areas of concern you set out in the “Summary of Systemic Breaches” section of your letter. The exercise enables us to act formally if necessary, by providing the requisite evidence base required for our regulatory action. The range of tools available to us to intervene as a regulator begins at the level of engagement, where we may engage to improve conformance in a given organisation or more widely in an entire sector. But these tools extend to the more prescriptive options such as enforcement notices, and/or penalty notices for cases of significant non-compliance with the law.

In terms of timescales, we need to take the time to understand what the information gathered is telling us systemically and individually. Our regulatory options will be based on that careful understanding and as such I expect that we will progress to next steps in spring 2022.

In relation to specific concerns you raised about age ratings published by online app stores, we have contacted Apple and Google to enquire about the extent to which the risks associated with the processing of personal data are a factor when determining the age rating for an app.

We are also undertaking a programme of activity focused on age assurance which includes the recent publication of a Commissioner’s Opinion and a call for evidence on the use of age assurance. The call for evidence will deepen our understanding of how industry is responding to the age application standard. We also intend to run a series of stakeholder roundtable events to gather further information on the use of age assurance. We will use the findings of these activities to inform the scope of any further regulatory action in relation to age assurance. We recognise the interest of 5Rights and others in the area of age assurance so would hope you will take part in the roundtable process.

Finally, to address the concerns raised by 5Rights which are not currently in scope of the ICO’s information gathering exercise. First, you raised the concern that connected devices, such as toys, often do not provide an accessible privacy policy or other such measure. We recognise the increased interest in the area of connected devices generally and their implications for data protection, including where said connected devices are toys aimed at child users. We also recognise that this is a developing area and it is important that conformance with the code is addressed at the design stage. We will be monitoring developments in this area. This is an area of general ICO interest beyond our Children’s code work alone and so may be subject to a longer timeframe than our immediate work already underway on the code.

You also raised concerns regarding age assurance and adult content websites such as pornographic sites. The code’s scope does not extend to adult-only websites. Thus the harm identified is not primarily related to data misuse; rather it is an issue of content access.

However we recognise both the strong societal interest in addressing the accessing of pornographic content by underage users, and the apparent potential in the Children’s code to address this. The ICO is keen to ensure that the code is a success within its scope; this success could be put in question if the scope of the code is stretched to also cover adult-only online services. We have previously written to the Department for Digital, Culture, Media and Sport (DCMS) to make them aware of the clamour by child advocates for action on the issue of underage access to online pornography, and for the Children’s code to be used as a vehicle to do so.

DCMS in response agreed that the Children’s code is not the legislative route for addressing this issue, which in fact is better addressed via the Online Safety Bill currently before Parliament. The ICO will continue to work with DCMS, Ofcom as the intended online safety regulator, and others to ensure that where we can act under current regulation, we do try to prevent underage access. However the solution to the problem is not one that sits squarely within the code or within data protection so is not one the ICO can commit to address entirely.

I hope that this response helps provide some context to the work currently underway at the ICO in relation to Children’s code conformance. I also hope that the research already undertaken by 5Rights continues to enlighten both the ICO’s own market intelligence but also informs the wider public debate on issues running parallel to the code, such as online safety. I recognise that a clear legislative framework for online safety, as due to be set out in the current bill, will mark a significant milestone for the UK in addressing these concerns clearly, consistently and with cooperation between regulators.

As ever, the ICO remains available to discuss our work and any future insights you may wish to share with us.

Yours sincerely, Elizabeth Denham