How have the data protection rules changed?
They haven’t. Data protection regulation hasn’t changed and the code is not new law. Everything it requires links back to an existing provision of the GDPR. What the code does is provide a further level of detail on what the Commissioner, as UK regulator of the GDPR, will expect you to do in order to comply with existing GPDR requirements.
Our expectations have been influenced by the remit Parliament set in s123 of the DPA 2018 which placed the duty on the Commissioner to develop the code. This said that the Commissioner must take account of the fact that children have different needs at different stages of their development. The code makes it clear that you need to account for the age and needs of children who are likely to use your service, and sets out how you can do that.
How do I know if my service is covered?
The code applies to ‘information society services’ likely to be accessed by children in the UK. In simple terms, that means many apps, online games, connected toys and devices, search engines, social media platforms and websites that offer goods, news or education services. It is not limited to services specifically directed at children.
As a starting point, you should note that we expect most online services used by children to be covered, and those that aren’t covered to be exceptional.
Will the code only apply to UK-based companies?
The code applies to UK companies. It also applies if you are a non-UK company with a branch, office or establishment in the UK and you process personal data in the context of the activities of that office.
It will also apply if you are based outside the EEA, even if you don’t have a UK branch or office, if you offer your service to UK users (or monitor the behaviour of UK users) and it is likely to be accessed by children.
The code won’t currently apply if an organisation is based outside the UK and does not have a UK branch or office, but has one elsewhere in the EEA (even if it is offering services to UK users or monitoring the behaviour of users in the UK).
What does the code expect?
If you are covered by the code, it expects you to:
- create an open, transparent and protected place for children when they are online;
- follow a series of standards when designing, developing or providing your online services where they are likely to be accessed by children;
- consider the best interests of the child when processing their personal data. The code applies to apps, connected toys and devices, search engines, social media sites and online games; and
- implement high privacy settings by default and use language that is clear and easy for children at different development stages to understand. The code includes key safeguards around the automated profiling of children, the use of geolocation data, and the transparency of marketing techniques.
You can’t possibly monitor every website, app or game. How will you enforce the code?
There is a 12-month transition period, during which our focus is helping organisations conform with the code and put the best interests of the child first. We are working with industry to develop further support and guidance during the implementation period, to help organisations to make the necessary changes so that they are ensuring an age appropriate service for child users. We’ll be producing a package of support to help organisations, particularly smaller businesses, understand what they need to do to conform.
At the end of this period, where we identify concerns about the way in which children’s personal data is being used, or where parents, carers, teachers or children complain to us, we will investigate and we will take action, focussing on areas of highest risk of harm. We will take a proportionate, risk-based approach to regulation. Where we find organisations that show disregard for people’s data, we can act - we have a range of tools, including compulsory audits, orders to stop processing and fines of up to 4% of global turnover.
Will the code mean that newspapers will need to change how they publish?
It is important to balance privacy rights with those on freedom of expression and access to information. The code is not intended to prevent young people from engaging with the world around them. We do not want to create any barriers to children accessing news content. Our focus will be on how newspapers use personal data, rather than on the news that they publish (see Services covered by this code).
Some business representative bodies say that small businesses will be forced to fold, what is your response to that?
We understand that delivering the standards set out in the code will bring challenges for the tech, e-gaming and interactive entertainment industries.
That’s why, in addition to the code itself, we are also developing tools, guidance and other support, working collaboratively with representative bodies, to help organisations prepare during the transition period.
But the price of digital innovation cannot be our children’s privacy. The two must, and can, go hand in hand. Organisations innovate to target customers, now they must innovate to protect children.
Annex: FAQs Summary
The questions below were raised during or before webinars. We grouped the many responses into thematic areas.
How do you determine whether a website is likely to be accessed by a child?
For the purposes of the code, a child is a person under 18. For a service to be ‘likely’ to be accessed, the possibility of this happening needs to be more probable than not. The ICO does not set thresholds or target numbers to determine likelihood.
In practice, whether children are likely to access your service depends on:
- the nature and content of the service and whether that has particular appeal for children; and
- the way in which users access the service and any measures you put in place to prevent children from gaining access.
You should consider if the content of your site would interest a child. If you are an online fashion retailer, for example, do you sell clothes that may appeal to teenagers? Have you done any research to confirm who your customers are?
See ‘Services covered by the code’ for more information.
Isn’t there a contradiction in having different control options for the age brackets, when an ISS is not targeted to children but they may access it?
No. Parliament deliberately chose to ensure that the code applies to services likely to be accessed by children, ie those that they use in reality, irrespective of whether they are the intended audience.
However, you are not required to design services for age groups and development stages that aren’t likely to access your service. There is also flexibility, so you don’t have to use the exact age ranges in the code if you can justify why slightly different age groupings are more appropriate for your service.
Doesn’t the standard on nudge techniques go beyond the scope of current data protection law?
No. The requirements addressing nudge techniques in the code link to fairness and transparency of data processing, in line with Article 5(1)(a) of the GDPR. The standard focuses on design features that “lead or encourage children to provide unnecessary personal data or turn off privacy protections”.
The code recommends that services consider nudges that promote health and wellbeing or best interests.
An adult would be the account holder of my service. Wouldn’t we only be collecting personal data for the account holder, even if a child were to access the service?
Not necessarily. Your service may be collecting personal data from the child (eg browsing history). Consider what risks may arise from children accessing the service through an adult’s account and decide how you will address those risks through the design of your service.
Our business is global. How do we marry the requirements of the ICO’s Children’s Code with regulatory requirements in other jurisdictions?
The code is a statutory requirement if you are an ISS delivering services to children in the United Kingdom. At its heart, the code is about understanding and mitigating risks to children that arise when you decide to process their personal data in order to deliver your service. Ultimately, it is about treating children fairly and, when you are designing your service, ensuring that their best interests are a primary consideration. Although all elements of the code may not translate across all jurisdictions, this core, risk-based approach should.
Researching and completing a good data protection impact assessment (DPIA) is one way to show how you are addressing different requirements and conforming to the core standards of the code while providing services to UK children. You can use the DPIA to demonstrate that you have thought about relevant jurisdictions and map how your solutions address these issues.
Our website is mainly used for trade but consumers can view our products and ask for stockist information. The only data we collect from our website is for trade customers wanting to receive a catalogue or place an order. Presumably there is no issue here with the Children’s Code?
You need to consider whether your website is likely to be accessed by children.
This is likely to depend on:
- the nature and content of your website and whether it has particular appeal for children; and
- the way in which users access your website and any measures you put in place to prevent children gaining access.
Our interpretation of ‘likely to be accessed’ in this context is that it must be more probable than not that a child accesses the website.
Having considered these criteria, if you are satisfied that children are not likely to access your website then the code will not apply. You should document the basis of your decision.
Do we need to retrospectively verify the age of users who have previously registered for our service, or apply the code only for new users?
The code applies to all children who use your services, both those that have already registered and those who are new to your service.
You need to review how well you know the age of your users and, considering the risks arising from any data processing, establish the age of individual users with a level of certainty appropriate to those risks. If the risks of processing for your service are low, then self-declaration mechanisms to confirm the age of your users may be appropriate. For higher-risk services, you need to think about establishing a greater degree of certainty. See the age appropriate application standard for further details.
How can I be sure adult consent is given?
Article 8(1) of the GDPR says you need to make ‘reasonable efforts’ to obtain and verify parental consent for children under 13. You can also consider other circumstances, including your resources and the level of risk identified in your DPIA, but you must be able to justify your approach.
For low risk processing, a declaration of parental consent and responsibility via a tick box or email confirmation may suffice. You may consider that further checks are not reasonable (or indeed practical) and that these steps are sufficient, given the low risk to the child of the proposed processing.
For higher risk processing, you need to adopt more stringent means to verify the consent you’ve obtained. For example, you may decide to use a third-party verification service to verify that the child is old enough to provide their own consent, or to check the identity of the person claiming parental responsibility and confirm the relationship between them and the child.
Meeting the standards in this code should also help. This is because the standards in the code work together to mitigate risks arising from the processing of children’s personal data. In particular, if you conform to the standard on age appropriate application (and apply the standards to all users where you are unable to establish age with a level of confidence that is appropriate to the risks) then you are providing significant protections for children by default, even if they lie about their age. This reduces the risks that might arise from not knowing how old a user is, or from not verifying parental consent to a high standard. Parental consent becomes only one of a number of measures in place to protect children online.
Can we use QR codes on leaflets and product information to take children and adults to a video of the product on a video sharing platform? We use a video sharing service and all our content on our channel is categorised as ‘developed for kids’ and no data will be collected on people watching the videos.
Yes, in principle, as long as the QR code only represents a direct URL to the hosted video and is not editable or trackable by third parties. Whilst some video or channel categorisation such as ‘developed for kids’ on sharing platforms may limit the nature or volume of data you collect, you still need to ensure that your use of the platform complies with any relevant data protection requirements.
Transparency and consent
Who determines whether language is suited to the age of the child?
Overall responsibility and accountability rests with the ISS to show that they conform with the code and underlying data protection requirements. Use research and get advice from experts on what is relevant. Use an iterative approach to ensure that your policies are appropriate to children of different ages.
The Commissioner is responsible for monitoring conformance with the requirements of the code. Where we find issues we take fair, proportionate and timely regulatory action with a view to guaranteeing that organisations properly protect individuals’ rights. For further details, see the enforcement section of the code.
Which version of terms and conditions (adult or children’s) would have legal status and be enforceable?
If you believe that you need to draft your terms and conditions in a certain way in order to make them legally robust, then you can provide child-friendly explanations to sit alongside the legal drafting.
Where the Commissioner is considering fairness, lawfulness, accountability and transparency, full terms and conditions and child-friendly explanations are relevant and taken into account.
You should consider your cookie use as well as any limitations on accessing your site in your DPIA. Whether you choose to adopt a subscribe 18 setting is a business decision for you, and depends on the level of data processing on your site and the risk of that processing for children.
I use mod_geoip to detect what country a visitor is in based on their IP, so I can direct them to the country-appropriate version of our online shop (with an HTTP 301 redirect). I don't retain the data. I assume that's not the sort of thing you mean by "Geolocation"?
No. The geolocation standard in the code is more granular and concerned with GPS or other data that would enable a service to determine the exact location of a child.
The use of country identifiers in this case appears to be a core part of your service to ensure that users get shop items that relate to their location. You should ensure that you are complying with PECR requirements, see our separate Guide to PECR for further details.