The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Government included provisions in the Data Protection Act 2018 to create world-leading standards that provide proper safeguards for children when they are online.

As part of that, the ICO is required to produce an age-appropriate design code of practice to give guidance to organisations about the privacy standards they should adopt when offering online services and apps that children are likely to access and which will process their personal data.

A link to the Parliamentary debate, led by Baroness Kidron, is here.

The standards in the code were backed by existing data protection laws which are legally enforceable and regulated by the ICO. The regulator has powers to take action against organisations that break the law including tough sanctions like orders to stop processing data and fines of up to £17million or 4% of global turnover.

The first draft of the code went out to consultation in April 2019. It was informed by initial views and evidence gathered from designers, app developers, academics and civil society.

The ICO also sought views from parents and children by working with research company Revealing Reality.

As part of the ICO’s work to create the code we reviewed and considered existing studies and research brought together here.

The Secretary of State laid the Age Appropriate Design Code to Parliament under section 125(1)(b) of the Data Protection Act 2018 (the Act) on 11 June 2020. The ICO issued the code on 12 August 2020 and it will come into force on 2 September 2020 with a 12 month transition period.

Deputy Commissioner Steve Wood blogged about the Children’s Code impact assessment.

Elizabeth Denham talked about the importance of the code on a #kidtech podcast.

The Children’s Code industry barometer report outlines the findings of a quantitative survey with representatives of over 500 information society services. The research, provides a snapshot of online services’ views on the code at the halfway point of its 12 month transition period. We’ll be continuing with this research and hope to publish the second part in Autumn 2021.

To help ensure that the ICO remains responsive to children’s issues, and to assist the ICO to support industry and engage with children, parents and schools on data protection issues, the ICO has set up a Children’s Advisory Panel (CAP).

Relevant international laws and policies

OECD Recommendation on Children in the Digital Environment was adopted in May 2021 and aims to help countries to find a balance between protecting children from online risks, and promoting the opportunities and benefits that the digital world provides.

You can read more here Protecting children online - OECD.

The UN general comment no. 25 was recently adopted by the UN Committee on the Rights of the Child and sets out how children’s rights apply online as well as offline.
You can read the formal general comment and a child friendly version here OHCHR | GC children’s rights in relation to the digital environment.

The Council of Europe works to protect and promote human rights, including the rights of children. The Council recognises the role that the digital environment plays in children’s lives and has released guidance and recommendations on supporting children’s rights on the internet.

You can read more about the work the Council of Europe does to support children’s online rights here The digital environment (coe.int).

The Federal Trade Commission (FTC) is conducting a review of the Children’s Online Privacy Protection Act Rule (COPPA). COPPA is an American law created in 1998 that gives companies processing the data of US children under 13 years old certain rules to abide by.

You can read more about COPPA on the FTC website here

Please note that the FTC review of the COPPA Rule is ongoing.

US Senators have written big tech companies a letter calling for them to apply the UK code standards to children to the US.

In 2020 the Data Protection Commission in the Republic of Ireland published a draft version of their guidance for the processing of children’s personal data, The Fundamentals for a Child-Orientated Approach to Data Processing (the Fundamentals).

You can view the Fundamentals draft here Fundamentals for a Child-Oriented Approach to Data Processing_Draft Version for Consultation_EN.pdf (dataprotection.ie).