This code came into force on 2 September 2020, with a 12 month transition period. Organisations should conform by 2 September 2021.
The Secretary of State laid the Age Appropriate Design Code to Parliament under section 125(1)(b) of the Data Protection Act 2018 (the Act) on 11 June 2020. The ICO issued the code on 12 August 2020 and it will come into force on 2 September 2020 with a 12 month transition period.
There is more information in the Explanatory Memorandum.
Information Commissioner’s foreword
Data sits at the heart of the digital services children use every day. From the moment a young person opens an app, plays a game or loads a website, data begins to be gathered. Who’s using the service? How are they using it? How frequently? Where from? On what device?
That information may then inform techniques used to persuade young people to spend more time using services, to shape the content they are encouraged to engage with, and to tailor the advertisements they see.
For all the benefits the digital economy can offer children, we are not currently creating a safe space for them to learn, explore and play.
This statutory code of practice looks to change that, not by seeking to protect children from the digital world, but by protecting them within it.
This code is necessary.
This code will lead to changes that will help empower both adults and children.
One in five UK internet users are children, but they are using an internet that was not designed for them. In our own research conducted to inform the direction of the code, we heard children describing data practices as “nosy”, “rude” and a “bit freaky”.
Our recent national survey into people’s biggest data protection concerns ranked children’s privacy second only to cyber security. This mirrors similar sentiments in research by Ofcom and the London School of Economics.
This code will lead to changes in practices that other countries are considering too.
It is rooted in the United Nations Convention on the Rights of the Child (UNCRC) that recognises the special safeguards children need in all aspects of their life. Data protection law at the European level reflects this and provides its own additional safeguards for children.
The code is the first of its kind, but it reflects the global direction of travel with similar reform being considered in the USA, Europe and globally by the Organisation for Economic Co-operation and Development (OECD).
This code will lead to changes that UK Parliament wants.
Parliament and government ensured UK data protection laws will truly transform the way we look after children online by requiring my office to introduce this statutory code of practice.
The code delivers on that mandate and requires information society services to put the best interests of the child first when they are designing and developing apps, games, connected toys and websites that are likely to be accessed by them.
This code is achievable.
The code is not a new law but it sets standards and explains how the General Data Protection Regulation applies in the context of children using digital services. It follows a thorough consultation process that included speaking with parents, children, schools, children’s campaign groups, developers, tech and gaming companies and online service providers.
Such conversations helped shape our code into effective, proportionate and achievable provisions.
Organisations should conform to the code and demonstrate that their services use children’s data fairly and in compliance with data protection law.
The code is a set of 15 flexible standards – they do not ban or specifically prescribe – that provides built-in protection to allow children to explore, learn and play online by ensuring that the best interests of the child are the primary consideration when designing and developing online services.
Settings must be “high privacy” by default (unless there’s a compelling reason not to); only the minimum amount of personal data should be collected and retained; children’s data should not usually be shared; geolocation services should be switched off by default. Nudge techniques should not be used to encourage children to provide unnecessary personal data, weaken or turn off their privacy settings. The code also addresses issues of parental control and profiling.
This code will make a difference.
Developers and those in the digital sector must act. We have allowed the maximum transition period of 12 months and will continue working with the industry.
We want coders, UX designers and system engineers to engage with these standards in their day-to-day to work and we’re setting up a package of support to help.
But the next step must be a period of action and preparation. I believe companies will want to conform with the standards because they will want to demonstrate their commitment to always acting in the best interests of the child. Those companies that do not make the required changes risk regulatory action.
What’s more, they risk being left behind by those organisations that are keen to conform.
A generation from now, I believe we will look back and find it peculiar that online services weren’t always designed with children in mind.
When my grandchildren are grown and have children of their own, the need to keep children safer online will be as second nature as the need to ensure they eat healthily, get a good education or buckle up in the back of a car.
And while our code will never replace parental control and guidance, it will help people have greater confidence that their children can safely learn, explore and play online.
There is no doubt that change is needed. The code is an important and significant part of that change.
Elizabeth Denham CBE