The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

How have the data protection rules changed?

They haven’t. Data protection regulation hasn’t changed and the code is not new law. Everything it requires links back to an existing provision of the GDPR. What the code does is provide a further level of detail on what the Commissioner, as UK regulator of the GDPR, will expect you to do in order to comply with existing GPDR requirements.

Our expectations have been influenced by the remit Parliament set in s123 of the DPA 2018 which placed the duty on the Commissioner to develop the code. This said that the Commissioner must take account of the fact that children have different needs at different stages of their development. The code makes it clear that you need to account for the age and needs of children who are likely to use your service, and sets out how you can do that.

How do I know if my service is covered?

The code applies to ‘information society services’ likely to be accessed by children in the UK. In simple terms, that means many apps, online games, connected toys and devices, search engines, social media platforms and websites that offer goods, news or education services. It is not limited to services specifically directed at children.

As a starting point, you should note that we expect most online services used by children to be covered, and those that aren’t covered to be exceptional.

Will the code only apply to UK-based companies?

The code applies to UK companies. It also applies if you are a non-UK company with a branch, office or establishment in the UK and you process personal data in the context of the activities of that office.

It will also apply if you are based outside the EEA, even if you don’t have a UK branch or office, if you offer your service to UK users (or monitor the behaviour of UK users) and it is likely to be accessed by children.

The code won’t currently apply if an organisation is based outside the UK and does not have a UK branch or office, but has one elsewhere in the EEA (even if it is offering services to UK users or monitoring the behaviour of users in the UK). 

What does the code expect?

If you are covered by the code, it expects you to:

  • create an open, transparent and protected place for children when they are online;
  • follow a series of standards when designing, developing or providing your online services where they are likely to be accessed by children;
  • consider the best interests of the child when processing their personal data. The code applies to apps, connected toys and devices, search engines, social media sites and online games; and
  • implement high privacy settings by default and use language that is clear and easy for children at different development stages to understand. The code includes key safeguards around the automated profiling of children, the use of geolocation data, and the transparency of marketing techniques.

You can’t possibly monitor every website, app or game. How will you enforce the code?

There is a 12-month transition period, during which our focus is helping organisations conform with the code and put the best interests of the child first. We are working with industry to develop further support and guidance during the implementation period, to help organisations to make the necessary changes so that they are ensuring an age appropriate service for child users. We’ll be producing a package of support to help organisations, particularly smaller businesses, understand what they need to do to conform.

At the end of this period, where we identify concerns about the way in which children’s personal data is being used, or where parents, carers, teachers or children complain to us, we will investigate and we will take action, focussing on areas of highest risk of harm. We will take a proportionate, risk-based approach to regulation. Where we find organisations that show disregard for people’s data, we can act - we have a range of tools, including compulsory audits, orders to stop processing and fines of up to 4% of global turnover.

Will the code mean that newspapers will need to change how they publish?

It is important to balance privacy rights with those on freedom of expression and access to information. The code is not intended to prevent young people from engaging with the world around them. We do not want to create any barriers to children accessing news content. Our focus will be on how newspapers use personal data, rather than on the news that they publish (see Services covered by this code).

Some business representative bodies say that small businesses will be forced to fold, what is your response to that?

We understand that delivering the standards set out in the code will bring challenges for the tech, e-gaming and interactive entertainment industries.

That’s why, in addition to the code itself, we are also developing tools, guidance and other support, working collaboratively with representative bodies, to help organisations prepare during the transition period.

But the price of digital innovation cannot be our children’s privacy. The two must, and can, go hand in hand. Organisations innovate to target customers, now they must innovate to protect children.