This code came into force on 2 September 2020, with a 12 month transition period. Organisations should conform by 2 September 2021.
At a glance
This code explains how to ensure your online services appropriately safeguard children’s personal data. You should follow the code to help you process children’s data fairly. It will also enable you to design services that comply, and demonstrate you comply, with the GDPR and PECR. If you do not follow this code, you are likely to find it more difficult to demonstrate your compliance with the law, should we take regulatory action against you.
- Who is this code for?
- What is the purpose of this code?
- What is the status of this code?
- How should we use the code?
This code is for providers of information society services (ISS). It applies to you if you provide online products or services (including apps, programs, websites, games or community environments, and connected toys or devices with or without a screen) that process personal data and are likely to be accessed by children in the UK. It is not only for services aimed at children. In this code ‘online service’ means a relevant ISS. For more information, see the separate section on services covered by this code.
This code addresses how to design data protection safeguards into online services to ensure they are appropriate for use by, and meet the development needs of, children.
It reflects the increasing concern about the position of children in society and the modern digital world in particular. There is agreement at international level and within the UK that much more needs to be done to create a safe online space for them to learn, explore and play. This code achieves this not by seeking to protect children from the digital world, but by protecting them within it.
The UNCRC recognises that children need special safeguards and care in all aspects of their life and requires that these should be guaranteed by appropriate legal protections. European level data protection law reflects this and provides its own additional safeguards for children.
In the UK, Parliament and government have acted to ensure that our domestic data protection laws do truly transform the way we safeguard our children when they access online services by requiring the Commissioner to produce this statutory code of practice. This code delivers on Parliament and the government’s intent to use data protection law to make a profound and lasting change to how we look after our children when they access online services.
It takes account of the standards and principles set out in the UNCRC, and sets out specific protections for children’s personal data in compliance with the provisions of the GDPR.
If you provide relevant online services, this code will help you to comply, and demonstrate that you comply, with your data protection obligations. Conforming to the standards in this code will be a key measure of your compliance with data protection laws. Following this code will also show parents and other users of your services that you take children’s privacy seriously, you can be trusted with children’s data, and your services are appropriate for children to use.
How does this code take account of the rights of the child?
In preparing this code, the Commissioner is required to consider the UK’s obligations under the UNCRC, and the fact that children have different needs at different ages.
The code incorporates the key principle from the UNCRC that the best interests of the child should be a primary consideration in all actions concerning children. It also aims to respect the rights and duties of parents, and the child’s evolving capacity to make their own choices.
In particular, this code aims to ensure that online services use children’s data in ways that support the rights of the child to:
- freedom of expression;
- freedom of thought, conscience and religion;
- freedom of association;
- access information from the media (with appropriate protection from information and material injurious to their well-being);
- play and engage in recreational activities appropriate to their age; and
- protection from economic, sexual or other forms of exploitation.
How does this code support parents?
Parents (or guardians) play a key role in protecting their children and deciding what is in their best interests. However, in the context of online services, parents and children may find it difficult to make informed choices or exercise any control over the way those services use children’s data. Often the only choice in practice is to avoid online services altogether, which means the child loses the benefits of online play, interaction and development. This code therefore expects providers of these services to take responsibility for ensuring that the way their services use personal data is appropriate to the child’s age, takes account of their best interests, and respects their rights; as well as supporting parents or older children in making choices (where appropriate) in the child’s best interests.
How does this code support data protection compliance?
The UK data protection regime is set out in the Data Protection Act 2018 (DPA 2018) and the GDPR. This regime requires you to take a risk-based approach when you use people’s data, based on certain key principles, rights and obligations.
This code supports compliance with those general principles by setting out specific protections you need to build in when designing online services likely to be accessed by children, in line with Recital 38 of the GDPR:
“Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child…”
In particular, this code sets out practical measures and safeguards to ensure processing under the GDPR can be considered ‘fair’ in the context of online risks to children, and will help you comply with:
- Article 5(1)(a): the fairness, lawfulness and transparency principle;
- Article 5(1)(b): the purpose limitation principle;
- Article 5(1)(c): the data minimisation principle;
- Article 5(1)(e): the storage limitation principle;
- Article 5(2): the accountability principle;
- Article 6: lawfulness of processing;
- Articles 12, 13 and 14: the right to be informed;
- Articles 15 to 20: the rights of data subjects;
- Article 22: profiling and automated decision-making;
- Article 25: data protection by design and by default; and
- Article 35: data protection impact assessments (DPIAs).
It covers your use of ‘inferred data’ (information about a child that you don’t collect directly, but that you infer from other information or from their behaviours online) as well as data you collect directly from the child.
Annex C also includes some guidance on identifying your lawful basis for processing in the context of an online service. If you rely on consent, it explains the Article 8 rule on parental consent for children under 13.
If you need to process personal data in order to protect children from online harms, such as child sexual exploitation and abuse, then this code shouldn’t prevent you from doing so. However, you need to satisfy all the usual data protection requirements before you proceed, such as ensuring that the processing is fair and proportionate to the harm you are seeking to prevent, identifying a lawful basis for processing and providing transparency information.
What is the legal status of the code?
This is a statutory code of practice prepared under section 123 of the DPA 2018:
“The Commissioner must prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age appropriate design of relevant information society services which are likely to be accessed by children.”
It was laid before Parliament on 11 June 2020 and issued on 12 August 2020 under section 125 of the DPA 2018. It comes into force on 2 September 2020.
As was made clear in the Parliamentary debates when the Data Protection Bill passed through Parliament, if your online service fails to conform to a provision of this code you may find it difficult to demonstrate compliance with the law and you may invite regulatory action.
In accordance with section 127 of the DPA 2018, the Commissioner must take the code into account when considering whether an online service has complied with its data protection obligations under the GDPR or PECR. In particular, the Commissioner will take the code into account when considering questions of fairness, lawfulness, transparency and accountability under the GDPR, and in the use of her enforcement powers.
The code can also be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant.
What happens if we don’t conform to the standards in this code?
If you don’t conform to the standards in this code, you are likely to find it more difficult to demonstrate that your processing is fair and complies with the GDPR and PECR. If you process a child’s personal data in breach of the GDPR or PECR, we can take action against you.
Tools at our disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, we have the power to issue fines of up to €20 million (£17.5 million when the UK GDPR comes into effect) or 4% of your annual worldwide turnover, whichever is higher.
Our approach to using these powers will take account of the risks to children that arise from your data processing, and the efforts you have made to conform to the standards in this code. In cases where we find against you, we are more likely to allow you time to bring your service into compliance if you have a well-documented and reasoned case to support the approach you have taken.
Conversely, if you have not taken proper steps to conform despite clear evidence or constructive knowledge that children are likely to access your service, and clear evidence of significant risk arising from the use of children’s data, we are more likely to take formal regulatory action. The established ICO approach to enforcement as set out in our Regulatory Action Policy will apply to use of children’s personal data under the GDPR and consideration of this code.
For more information, see the separate section on enforcement of this code.
How is this code affected when the UK leaves the EU?
This code is based on and refers to the relevant provisions of the DPA 2018 and GDPR as they apply in the UK in November 2019, before exit day.
If the UK leaves the EU with no deal, the EU version of the GDPR will no longer be law in the UK. However, a UK version of the GDPR will be written into UK law (UK GDPR). The UK GDPR will sit alongside an amended version of the DPA 2018. Although this code is based on the provisions of the DPA 2018 and EU GDPR in effect before exit day, the key data protection principles, rights and obligations underlying this code will remain the same under the UK GDPR.
The standards in this code will therefore still apply. The Commissioner will continue to take the code into account. However, after exit day, you should read references in this code to the GDPR as references to the equivalent provision in the UK GDPR. We have also highlighted a few specific changes throughout this code where directly relevant.
If the UK agrees to leave the EU with a deal, there will be an implementation period during which the GDPR – and this code – will continue to apply in the UK in the same way as before exit day. At the end of the implementation period, the default position is the same as for a no-deal exit, and we expect this code to remain in effect.
If there are any further changes to the details of the future UK regime, the Commissioner will review the standards in this code to ensure they remain relevant and appropriate to support compliance with UK law.
What is the status of ‘further reading’ or other linked resources?
Any further reading or other resources which are mentioned in or linked from this code do not form part of the code. We provide links to give you helpful context and further guidance on specific issues, but there is no statutory obligation under the DPA 2018 for the Commissioner or courts to take it into account (unless it is another separate statutory code of practice).
Where we link to other ICO guidance, that guidance will inevitably reflect the Commissioner’s views and inform our general approach to interpretation, compliance and enforcement.
We may also link to relevant guidance provided by the European Data Protection Board (EDPB), which is the independent body established to ensure consistency within the EU when interpreting the GDPR and taking regulatory action.
The standards at the start of this code are the 15 headline ‘standards of age appropriate design’ that you need to implement. The main body of this code is then divided into 15 sections, each giving more detail on what the standard means, why it is important, and how you can implement it. This further explanation is designed to help you if you aren’t sure what to do, but it is not prescriptive. It should give you enough flexibility to develop services which conform to the standards in your own way, taking a proportionate and risk-based approach. It will help you to design services that comply with the GDPR and PECR.
Your conformity to the code will be assessed against the 15 headline standards. However, we recommend that you read the code in full as it will help you understand how you can implement each standard properly. These standards are cumulative and interdependent - you must implement all of them, to the extent they are relevant to your service, in order to demonstrate your conformance to the code.
This code assumes familiarity with key data protection terms and concepts. We have included a glossary at the end of this code as a quick reference point for common concepts and abbreviations, but if you need an introduction to data protection – or more context and guidance on key concepts – you should refer to our separate Guide to Data Protection.
This code focuses on specific safeguards to ensure your data regime is appropriate for children who are likely to access your service, so that you process their data fairly. It is not intended as an exhaustive guide to data protection compliance. For example, it does not elaborate on your obligations on security, processors or breach reporting. You need to make sure you are aware of all of your obligations, and you should read this code alongside our other guidance. Your DPIA process should incorporate measures to comply with your data protection obligations generally, as well as conform to the specific standards in this code.
Further reading outside this code