At a glance
This code applies to “information society services likely to be accessed by children” in the UK. This includes many apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet. It is not restricted to services specifically directed at children.
In more detail
- What services does this code apply to?
- What do you mean by an ‘information society service’?
- What types of online services are not 'relevant ISS'?
- When are services ‘likely to be accessed by children’?
- Does it apply to services based outside the UK?
- What about the eCommerce Regulations 2002?
Section 123 of the DPA 2018 says that this code applies to:
“relevant information society services which are likely to be accessed by children.”
It says that ‘information society services’ has the same meaning as it has in the GDPR except that it does not include ‘preventive or counselling services’, and that ‘relevant ISS’ are those which involve the processing of personal data to which the GDPR applies.
The vast majority of online services used by children are covered, although there are some limited exceptions that are discussed in more detail below. Annex A to this code provides a flowchart setting out the questions you will need to answer if you are uncertain whether your service is covered.
The definition is broad and the majority of online services that children use are covered.
‘Information society service’ is defined as:
“any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
For the purposes of this definition:
(i) ‘at a distance’ means that the service is provided without the parties being simultaneously present;
(ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;
(iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.”
Essentially this means that most online services are ISS, including apps, programs and many websites including search engines, social media platforms, online messaging or internet based voice telephony services, online marketplaces, content streaming services (eg video, music or gaming services), online games, news or educational websites, and any websites offering other goods or services to users over the internet. Electronic services for controlling connected toys and other connected devices are also ISS.
These services are covered even if the ‘remuneration’ or funding of the service doesn’t come directly from the end user. For example, an online gaming app or search engine that is provided free to the end user but funded via advertising still comes within the definition of an ISS. This code also covers not-for-profit apps, games and educational sites, as long as those services can be considered as ‘economic activity’ in a more general sense. For example, they are types of services which are typically provided on a commercial basis.
If you are a small business with a website, your website is an ISS if you sell your products online, or offer a type of service which is transacted solely or mainly via your website without you needing to spend time with the customer in person.
Some services provided by public authorities
If you are a public authority which provides an online public service then, as long as the type of service you offer is not typically provided on a commercial basis your service is not a relevant ISS. This is because it is not a service ‘normally provided for remuneration’.
If you are a police force or other competent authority with an online service which processes personal data for law enforcement purposes, then your service isn’t a relevant ISS. This is because relevant ISS are those which involve the processing of personal data ‘to which the GDPR applies’. The GDPR does not apply to processing by competent law enforcement authorities for law enforcement purposes. For further information about the scope of the GDPR and how data protection law applies to processing for law enforcement purposes see our Guide to data protection.
Websites which just provide information about a real-world business or service
If your website just provides information about your real-world business, but does not allow customers to buy products online or access a specific online service, it is not an ISS. This is because the service being offered is not provided ‘at a distance’. An online booking service for an in-person appointment does not qualify as an ISS.
Traditional voice telephony services
Traditional voice telephony services are not relevant ISS. This is because they are not considered to be ‘delivered by electronic means’. This differs from internet based voice calling services (VOIP) which are within scope as they are delivered over the internet by electronic means.
General broadcast services
The definition of an ISS does not include broadcast services such as scheduled television or radio transmissions that are broadcast to a general audience, rather than at the request of the individual (even if the channel is broadcast over the internet).
This differs from ‘on demand’ services which are, by their nature, provided ‘at the individual request of a recipient’.
If you provide both a general broadcast and an on demand service, then the on demand element of your service will be covered by the code.
Preventive or counselling services
This code does not apply to websites or apps specifically offering online counselling or other preventive services (such as health screenings or check-ups) to children. This is because s123 scopes out ‘preventive or counselling services’. However, more general health, fitness or wellbeing apps or services are covered.
This code applies if children are likely to use your service. A child is defined in the UNCRC and for the purposes of this code as a person under 18.
If your service is designed for and aimed specifically at under-18s then the code applies. However, the provision in section 123 of the DPA is wider than this. It also applies to services that aren’t specifically aimed or targeted at children, but are nonetheless likely to be used by under-18s.
It is important to recognise that Parliament sought to use the wording ‘likely to be accessed by’ rather than narrower terms, to ensure that the application of the code did not exclude services that children were using in reality. This drew on experience of other online child protection regimes internationally, that only focused on services designed for children and therefore left a gap in coverage and greater risk.
We consider that for a service to be ‘likely’ to be accessed, the possibility of this happening needs to be more probable than not. This recognises the intention of Parliament to cover services that children use in reality, but does not extend the definition to cover all services that children could possibly access.
In practice, whether your service is likely to be accessed by children or not is likely to depend on:
- the nature and content of the service and whether that has particular appeal for children; and
- the way in which the service is accessed and any measures you put in place to prevent children gaining access.
You should take a common sense approach to this question. If your service is the kind of service that you would not want children to use in any case, then your focus should be on how you prevent access (in which case this code does not apply), rather than on making it child-friendly. For example, if it is an adult only, restricted, or otherwise child-inappropriate service. This code should not lead to the perverse outcome of providers of restricted services having to make their services child-friendly.
If your service is not aimed at children but is not inappropriate for them to use either, then your focus should be on assessing how appealing your service will be to them. If the nature, content or presentation of your service makes you think that children will want to use it, then you should conform to the standards in this code.
If you have an existing service and children form a substantive and identifiable user group, the ‘likely to be accessed by’ definition will apply.
Given the breadth of application, the ICO recognises that it will be possible to conform to this code in a risk-based and proportionate manner.
If you decide that your service is not likely to be accessed by children and that you are therefore not going to implement the code then you should document and support your reasons for your decision. You may wish to refer to market research, current evidence on user behaviour, the user base of similar or existing services and service types and testing of access restriction measures.
If you initially judge that the service is not likely to be accessed by children, but evidence later emerges that a significant number of children are in fact accessing your service, you will need to conform to the standards in this code or review your access restrictions if you do not think it is appropriate for children to use your service.
This code is issued under the DPA 2018. The DPA 2018 applies to online services based in the UK.
It also applies to online services based outside the UK that have a branch, office or other ‘establishment’ in the UK, and process personal data in the context of the activities of that establishment.
The DPA 2018 may also apply to some other services based outside the UK even if they don’t have an establishment in the UK. If the relevant establishment is outside the European Economic Area (EEA), the DPA 2018 still applies if you offer your service to users in the UK, or monitor the behaviour of users in the UK. The code applies if that service is likely to be accessed by children.
If you don’t have a UK establishment, but do have an establishment elsewhere in the EEA this code does not apply (even if you offer your service to UK users, or monitor the behaviour of users in the UK).
If the code applies to your processing but, under the GDPR ‘one-stop-shop’ arrangements you have a lead supervisory authority other than the ICO, then we may ask them to take the code into account when considering your compliance with the GDPR and PECR. Alternatively, if we consider the case to be a ‘local’ case (affecting UK users only), we may take action ourselves and take the code into account.
How will this change when the UK leaves the EU?
When the UK leaves the EU (or at the end of the implementation period, if the UK leaves the EU with a deal), the UK regime will apply to services established in the EEA who are targeting UK users in the same way as to services established outside the EEA. The UK will no longer be part of the GDPR one-stop-shop system.
If you are established in the EEA and offer your service to UK users, or monitor the behaviour of users in the UK, this code will apply to you from exit day (or from the end of the implementation period if a deal is agreed).
The eCommerce Regulations 2002 (ECR) do not exempt you from compliance with your data protection obligations. Regulation 3(1)(b) of the ECR, as amended by Schedule 19 Part 2 paragraph 288 of the DPA 2018, states that:
‘Nothing in these Regulations shall apply in respect of –
(b) questions relating to information society services covered by the GDPR and Directive 2002/58/EC of the European Parliament and of the Council of 12th July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)’
Whilst the ECR includes a ‘safe harbour’ regime for certain activities that you may carry out as an ‘intermediary’ service provider, it is important to note that:
- this does not remove your responsibility for data protection compliance, either in general or in relation to those activities; and
- the provisions of the GDPR are without prejudice to this regime.
The ICO will take the safe harbour regime into account, particularly in cases of complaints and potential regulatory action arising from activities relating to those that the safe harbour regime covers.
You should assess how the legal framework applies to activities you perform in your own right, and those which you perform as an intermediary. For example, an Internet Service Provider (ISP) or Mobile Network Operator (MNO) might provide core connectivity services as an intermediary service provider whilst also providing services such as customer service Apps or corporate websites in their own right. If necessary you may need to obtain specialist legal advice.
For more information, see the section on ‘Enforcement of this Code’.
Further reading outside this code
For further information on the definition of an ISS see:
Article 1(1) and Annex 1 of Directive (EU) 2015/1535 (Article 4(25) of the GDPR incorporates this definition into the GDPR) Ker-Optika v ANTSZ (CJEU case C-108/09, 2 December 2010)
McFadden v Sony (CJEU case C-484/14, 15 September 2016)
Elite Taxi v Uber (Opinion of the AG in case C-434/15, 11 May 2017)
For more information on whether the GDPR applies, see our guidance:
For more information on the GDPR one-stop-shop principle, see the EDPB guidelines on the lead supervisory authority.