What is the Children’s Code and why should online service providers be aware of it, even if children aren’t their target market?

The Children’s Code, more formally known as the Age Appropriate Design Code, came into force on 2 September 2020 but provided for a 12-month transition period to provide organisations with time to put measures in place to comply.

With less than six months to go before the end of the transition period, the UK data protection regulator, the Information Commissioner’s Office (the ICO) is encouraging organisations to take action now to ensure their products and services comply with the Code in time.

This article explains what the Code is and what it means for your organisation.

What is the Children’s Code?

In recent times, there has been an increasing number of children accessing the internet and an explosion of different types of new technology which can be used to access the internet.

Whilst the ICO recognises that digital services can offer a multitude of benefits to young people under the age of 18, it did not feel the industry was currently offering a safe space for them and their personal data. This is why the Children’s Code has been adopted and was approved by Parliament last year.

It is worth noting that the Children’s Code is separate from the planned Online Harms Regulation, which has been widely discussed in the media. The Online Harms Regulation will cover a greater risk of potential harms to children when using online services whereas the Children’s Code focuses purely on data protection harms.

The Code requires businesses to implement default settings which ensure that children have the best possible access to online services whilst minimising data collection and use, by default. It also aims to ensure that children who choose to change their default settings get the right information, guidance and advice before they do so, and receive proper protection in how their data is used afterwards.

The Code introduces fifteen standards to be followed by organisations to protect children’s privacy.

Children are not my target demographic so why does it matter to me?

The Code is wide in its scope and applies to all Information Society Services (ISS) which are likely to be accessed by children in the UK, not just those which are specifically targeting children. Most online services like websites, apps and search engines are classed as an ISS.

This means that anyone who could potentially be providing services to children will be covered by the Code, such as operators of mobile apps (for example fitness apps, games, educational apps to name a few), online games, Internet of Things (IoT) devices, connected toys, websites, messaging services, online steaming services and social media sites. This is whether they are specifically designed or marketed at children or not.

Under the Code a “child” is anybody under the age of 18 (whereas in comparison, data protection laws sets the age of consent to data processing at 13) which greatly widens the scope of the Code by bringing a much wider range of online services under its remit.

For any organisation that is not sure whether the Code will apply to them or not, they should seek specialist advice before deciding whether or not they need to follow the Code.

Why should I comply?

Whilst the Children’s Code is not law, the courts and the ICO will take the standards in the Code into account when looking at whether an organisation has complied with its data protection obligations. It will also consider this when deciding whether to take enforcement action, so it is important that organisations caught by the Children’s Code familiarise themselves with the standards and consider how they can ensure they comply.

As well as helping avoid the risk of falling below the standard expected by the ICO / courts when it comes to data protection compliance, bringing your business in line with the Children’s Code will also help with your reputation and will help instil confidence in your users by showing you are applying best practice in handling children’s data. It may provide you with the opportunity to become the market-leader in your sector while others who are less concerned about their compliance fall behind, giving you the competitive advantage.

As well as being important for those offering services that may be accessible to children, it is also important that other businesses that may be indirectly involved with offering services to children are aware of the Code and how it may apply to the businesses they work with.

For example, professionals in the User Experience (UX) and design community who may work with online services caught by the Children’s Code should understand how they can help their client’s comply when designing changes to their services

What does the Children’s Code require?

In summary, the Code expects those who fall within its scope to:

  • Put into effect default high privacy settings and use clear language that is easy to understand for children at different development stages. This also includes providing important safeguards surrounding the automated profiling of children, the use of geolocation data and transparency of marketing techniques;
  • Follow a set of fifteen standards when designing, developing or providing online services where they are likely to be accessed by children;
  • Create and maintain a transparent and secure space for children when they are online; and
  • Always keep in mind the best interests of the child when processing their personal data.

The full text of the Code can be found on the ICO’s website here.

What Next?

With initial findings from industry research set up by the ICO showing that only three quarters of businesses surveyed were aware of the Children’s Code, the ICO is urging organisations to act now to bring their products and services into compliance. It has pledged to develop a tailored package of support to assist organisations in adapting their online services and products before 2 September 2021.

With less than six months to go, those organisations impacted by the Children’s Code should start familiarising themselves with the details and the fifteen standards, as for most organisations significant changes will need to be made to their products and service offerings in order to comply.

For many organisations, making the necessary changes will likely require significant design, development and management time, so we would recommend organisations that have not already started this process start as soon as possible.

The ICO is also engaging with external bodies who are looking at setting up standard codes of practice and certification schemes for compliance with the Children’s Code and have indicated they may endorse such schemes in the future. It is therefore worth keeping an eye out for future developments as we approach the end of the transitional period in September 2021.

Our Data Protection Team has significant experience helping organisations navigate the legal issues involved in handling children’s personal data. If you have any concerns about adapting your online services or products to comply with the Children’s Code, please get in touch.