The Age Appropriate Design Code for the privacy of children online

On 21 January, the Information Commissioner’s Office (ICO) published a new statutory code of practice, the Age Appropriate Design Code, aimed at improving children’s safety within the digital world and creating a “safe space for them to learn, explore and play.”

The Age Appropriate Design Code, which was first published in draft form last April, will now be laid before Parliament for approval. There will be a 12-month transition period once the code is approved, meaning that the ICO expects to enforce the Code from autumn 2021.

The Code comes in response to demands for change to the way we look after children online and will add a new layer to existing child safeguarding mechanisms, such as the special protections provided in existing data protection laws.

In her foreword to the Age Appropriate Design Code, Information Commissioner Elizabeth Denham notes how the Code’s implementation will mark a milestone in the safeguarding of children’s privacy online: “A generation from now, I believe we will look back and find it peculiar that online services weren’t always designed with children in mind.”

What standards does the code introduce?

There are 15 standards which include provisions against the detrimental use of a child’s data, nudge techniques and profiling.

Under the Code, a child’s personal data should not be collected for uses which would be considered as detrimental to a child’s well-being, whilst nudge techniques should not be used to encourage children to provide their personal data where it is unnecessary.

The standard on profiling will require any profiling mechanism to be switched off as standard and to only be used in circumstances where there are appropriate measures to protect the child from any harmful effect. Particular importance is placed on protection from content which would be detrimental to a child’s well-being.

What will the Age Appropriate Design Code apply to?

The Code applies to “information society services likely to be accessed by children”. The ICO has noted that this may include “apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet.”

Although the Code encourages compliance with the threat of regulatory action and reputational damage amongst the public, the Code itself is not law. Nonetheless, failure to comply with the Code will make it difficult for organisations to demonstrate that their processing of personal data complies with data protection law. The Code is the first of its kind and it will be interesting to watch how the industry, designers and software developers will respond.

For more information and advice as to whether the Age Appropriate Design Code applies to your online service, please contact our specialist data protection lawyers.