What is the Children’s Code?
The Children’s Code (or Age Appropriate Design Code as it is formally known) is a statutory code of practice under the Data Protection Act 2018 (DPA 2018).
The data protection framework recognises that children should be given special treatment when it comes to their personal data. Our code translates what the law says into 15 standards that online services should follow to ensure they are complying with the law.
The code aims to ensure that children have a baseline of protection automatically by design and default, so that they are protected within the digital world rather than being protected from it.
Children are treated differently in the real world, this code ensures they are treated differently in the digital world too.
Why do we need a Children’s Code?
Apps, games and websites can start to gather data the moment a young person opens or visits them. This data can include who’s using the service, how frequently and where from.
That information may then be used to tailor the advertisements they see, shape the content they are encouraged to engage with or to persuade them to spend more time using services.
For all the benefits digital services can offer children, the industry is not currently creating a safe space for them to learn, explore and play.
What needs to change:
Services need to acknowledge that children should be treated differently. One in five people in the UK who use the internet are children, but the internet was not designed with them in mind.
There are laws to protect children in the real world – film ratings, car seats, age restrictions on drinking and smoking. We need laws to protect children in the digital world too and our code seeks to do that.
What does this mean in practice?
When personal data drives the content that children are exposed to, this must be made clear and you must recognise and act on your responsibilities to protect children’s rights and freedoms. The law compels you to.
In practical terms this includes:
- providing privacy settings that are high by default;
- switching off geo-location services that can reveal a child’s location to the world; and
- not using nudge techniques and notifications to encourage children to give up more personal data.
Of course children, and the adults that look after them, can choose to change their default settings, but the code makes sure they get the right information, guidance and advice before they do so, and proper protection in how their data is used afterwards.
What does a statutory code mean?
The Commissioner must take the code into account when considering whether an online service has complied with its data protection obligations under the General Data Protection Regulation (GDPR) or the Privacy and Electronic Communications Regulations 2003 (PECR). In particular, the Commissioner will take the code into account when considering questions of fairness, lawfulness, transparency and accountability under the GDPR, and in the use of her regulatory powers.
The code can also be used as evidence in court proceedings, and the courts must take its provisions into account wherever relevant.
When does the code come into force?
The code came into force on 2 September 2020 but there is a 12 month transition period, so organisations will need to conform with it from 2 September 2021.
What will happen during the transition period?
The ICO will be developing additional resources as part of our package of support to help organisations in making changes to their services.
What happens if relevant services do not conform to the code?
The code is rooted in existing data protection laws (the GDPR and DPA 2018), that the ICO regulate and enforce. Relevant services, ie those that are likely to be accessed by children and which process their personal data, are likely to find it more difficult to demonstrate that processing is fair and complies with the GDPR and PECR if they don’t conform to the code. If services process a child’s personal data in breach of the GDPR or PECR, the ICO can take action. The ICO has a range of regulatory powers including audits, assessments, stop processing orders and fines. These are subject to other applicable laws.
What will happen to the code post-Brexit?
The code is a requirement of UK data protection law and completed the Parliamentary scrutiny process in July 2020. It will continue to apply post-Brexit.
After Brexit, the code will apply to services established in the EEA who are targeting UK users in the same way as to services established outside the EEA.