Explaining the In's & Out's Of The Age Appropriate Design Code
The ICO have just released a data protection Children’s Code (or Age Appropriate Design Code in full) that outlines an organisation’s responsibility for its online practices with regard to children.
The code will cover apps, online games, platforms, websites, social media sites or anything else likely to be accessed by a child.
It came into force on the 02nd Sep 2021 and organisations now have twelve months to make sure they’re fully compliant with the new code.
Here’s what you need to know and what you’ll need to do to make sure your organisation is ‘up to code’…
What Is The Children’s Code?
DEFINITION OF THE THE AGE APPROPRIATE DESIGN CODE
The Age Appropriate Design Code, otherwise known as the children’s code, is a new statutory code of practice that falls under the General Data Protection Regulations.
It’s there to recognise the fact that children should be given extra consideration around their personal data, whilst helping organisations understand what is and will be expected of them.
The ICO has ‘translated’ what the law says into fifteen standards that any and all organisations providing online services should follow to remain compliant within the law.
Following the principal of Privacy First, the code is there to ensure children have a baseline of protection automatically by default and design to ensure they’re protected within the digital world, not from it.
Any organisation that isn’t fully compliant within the code by September ’21 could face penalties from the ICO such as compulsory audits, orders to stop the processing of personal information and fines of up to 4% of their global turnover!
Why Is A Children’s Code Needed?
EXPLAINING WHY THE AGE APPROPRIATE DESIGN CODE BECAME NECESSARY
Most, if not all modern apps, games and websites will start collecting data on their users the moment someone opens/visits them.
That data can then be used to tailor what advertisements a child might see, shape how they’re encouraged to engage with the app/site or even in how they’re ‘persuaded’ to spend more time using an organisations services.
Whilst the digital world can offer truly awesome experiences for younger users to learn and enjoy themselves, it was felt that not enough was being done to create a space within the digital world for children to explore and grow safely.
What Do Organisations Need To Change For The Children’s Code?
HOW TO PREPARE FOR THE AGE APPROPRIATE DESIGN CODE
Service and platform providers will need to acknowledge within their GDPR compliance that children must be treated differently to their adult users.
In the UK, children make up 20% of internet users… even though it was never designed for them or with their needs in mind.
Take the ‘real world’ for instance.
There’s plenty of laws protecting children… car seats, film and game ratings, drinking and smoking age restrictions… The Age Appropriate Design Code just follows that thought process through to it’s logical conclusion by adding those same protections to the digital world.
In real terms that means organisations will need to make it clear when a child’s personal data is being used to drive the content they’re seeing/experiencing, whilst recognising and protecting a child’s right to privacy.
The law will compel organisations to:
- Provide privacy settings set to their highest… by default
- Switch off any geo-location services that could reveal a child’s location to anyone else
- Cease the use of all ‘nudge’ techniques and notifications to encourage minors to give up additional private data/personal information.
Children, or their parents/adult supervisors can, of course, change these settings but they need to be there by default, as set out in the Children’s Code.
Organisations, to remain GDPR and Children’s Code compliant, will be expected to:
- Create an open, transparent, and safe place for children whilst they’re online
- Comply to a set of standards when designing, developing, or providing online services that are likely to be accessed by children
- Always consider the best interests of the child when processing their personal data
- Implement the highest of privacy settings by default whilst using language that is clear and easy for children of different ages and development stages to understand
For organisations with high Data Protection standards forming the root of their processing, the Children’s Code should not cause any major problems. As with all Data Protection matters, however, organisations must ultimately be able to demonstrate their accountability i.e. that the risks have been considered, steps have been taken, and that the steps taken are justifiable according to the risks as assessed by that organisation. – Jane Rudge – cloudThing, Chief Commercial and Compliance Officer
When Does The Children’s Code Take Effect?
THE AGE APPROPRIATE DESIGN CODE ENFORCEMENT DATE
It already is!
The Age Appropriate Design Code/Children’s Code come into force on the 02nd September 2020, however the ICO have allowed for a twelve-month grace period for organisations to become compliant… by the 02nd September 2021.
What Happens To Organisations Not Compliant With The Children’s Code By 02nd September 2021?
CONSEQUENCES OF NOT COMPLYING WITH THE AGE APPROPRIATE DESIGN CODE…
Remember getting compliant for GDPR back in May of ’18?
The Children’s Code is rooted within GDPR and DPA legislation that the ICO is already enforcing.
Any organisation asked to demonstrate their compliance to GDPR or PECR (Privacy and Electronics Communications Regulations) that operate services accessed by children will struggle to show compliance if the Children’s Code hasn’t also been considered within their data protection policies.
As a worst-case scenario, should the ICO get involved your organisation could be looking at audits, assessments, stop processing orders and fines of up to 4% of your global turnover…. The ICO is taking this seriously and so should you!
How Old Is The Definition Of A Child In the Children’s Code?
THE AGE APPROPRIATE DESIGN CODE DEFINITION OF A CHILD…
The Children’s Code will define anyone under the age of 18 as a child for the purposes of compliance.
Many websites in the UK have, up until now ‘thought’ of children as those being under the age of 13, often citing Article 8 of GDPR.
However, this misconception has always been such… a misconception, and is now clarified in the Children’s Code.
Article 8 of GDPR sets out when a child becomes old enough to provide consent to the processing of their own data, but it’s never set the age of a child as 13.
Does The Children’s Code Change GDPR?
THE AGE APPROPRIATE DESIGN CODE WITHIN GDPR AND DPA
Data Protection regulations haven’t changed, the Children’s Code will just refocus specific attention on those under 18 years of age.
Everything within the new code links back to existing provisions within GDPR, it just also adds another level of complexity on what the ICO Commissioner will expect of organisations when dealing with children, in order to remain GDPR compliant.
Which Organisations Will Be Affected By The Children’s Code?
SERVICES & WEBSITES THE AGE APPROPRIATE DESIGN CODE WILL REGULATE…
The Children’s Code will apply to any and all organisations offering ‘Information Society Services’ that are likely to be accessed by children within the UK.
Basically, it won’t matter if your app, game, device, search engine, social platform or website is specifically targeted at children or not. If there’s a possibility a child could use it then the Children’s Code will kick in.
The ICO have also confirmed their default position will be to expect most online services to fall under the Children’s Code.
Will The Children’s Code Only Affect UK Companies?
GEO-LOCATIONS APPLICABLE TO THE AGE APPROPRIATE DESIGN CODE
The Children’s Code will apply to all UK organisations and companies.
It will also apply to any Non-UK organisations with offices, branches or establishments in the UK that process children’s personal data in the context of the activities of that office.
It will also affect any organisations based outside of the EEA, even those without offices in the UK, if they offer services to UK end users (or monitor UK users/collect data on UK users) and are likely to be accessed by children.
How Will The Children’s Code Be Enforced?
HOW THE AGE APPROPRIATE DESIGN CODE WILL BE APPLIED BY THE ICO
We’re currently in the twelve-month grace period to prepare for the new Children’s Code.
After that expires (02nd Sep 2021) the ICO will investigate anywhere they’ve concerns for the digital welfare of children, starting with areas with the highest risk of harm.
They’ll also actively be investigating complaints made by parents, teachers, carers, or other adults that have identified possible breaches.
As with their GDPR investigations, the response they take is designed to be proportionate and risk-based but, should they find an organisation showing a blatant disregard for children’s privacy, as already mentioned, fines of up to 4% of global turnover could be applied.
Is There A Specific Legal Definition For ‘The Best Interest Of The Child’?
A wide one!
The United Nations Convention on the Rights of the Child states: The UNCRC incorporates provisions aimed at supporting the child’s needs for safety, health, wellbeing, family relationships, physical, psychological and emotional development, identity, freedom of expression, privacy and agency to form their own views and have them heard. Put simply, the best interests of the child are whatever is best for that individual child.
This will be used in conjunction with: Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing… Recital 38 To GDPR
How Should Organisations Apply The Standard ‘The Best Interest Of The Child’?
To make sure your organisation is able to effectively apply the standard ‘the best interest of the child’ the ICO suggests you consider the specific needs of your child users that to your platform or service and how you can best support those in your design and implementation processes.
- Keep children safe from exploitation risks, including the risks of commercial or sexual exploitation and sexual abuse
- Protect and support children’s health and wellbeing
- Protect and support children’s physical, psychological and emotional development
- Protect and support children’s need to develop their own views and identity
- Protect and support children’s right to freedom of association and play
- Support the needs of children with disabilities in line with the obligations under the relevant equality legislation for England, Scotland, Wales, and Northern Ireland
- Recognise the role of parents in protecting and promoting the best interests of the child and support them in this task
- Recognise the evolving capacity of the child to form their own view, and give due weight to that view
Does The Children’s Code Mean I need To ‘Age-Gate’ My App/Website/Platform?
The ICO have confirmed they’re not interested in seeing an age-gated internet.
What they want instead is a fundamental shift of how organisations approach the collection and processing of children’s private information, in which the processing of data from apps, websites and platforms takes a child-centric approach, building in relevant privacy protection from the beginning, rather than trying to add it on as an afterthought.
How Can An Organisation Know How Old Their Users Are?
In short… as long as your privacy standards are set high enough as per the Children’s Code, you shouldn’t need to know the age of your users.
If, however, you decide not to go down that route you will need to establish age.
The ICO have set out several appropriate ways for organisations to do this within the Children’s Code:
- Artificial intelligence
- Third-party age verification services
- Account holder confirmation
- Technical measures
- Hard identifiers
How Will The Children’s Code Work In Relation To Data Minimisation?
There’s nothing set out in the Children’s Code that prevents data minimisation.
Data minimisation isn’t there to stop organisations collecting personal data. If you need to ask the age of a user to verify if they’re a child or not then this is wholly compliant with data minimisation which states you should only collect data you actually need for a specific purpose.
What Happens If Children Lie About Their Age?
The ICO is well aware that no age assurance technique is 100% infallible, so don’t worry too much on this point.
If a complaint were made or your organisation came to the attention of the ICO through some other means then they’d look at whether the age assurance measures your organisation had put in place were stringent enough given the risk of children lying.
In layman’s terms… Has your organisation done enough to try and verify the age of its users and ensure that the personal data of children will be processed in accordance with the Children’s Code?