Feb 10, 2021 | Articles, Cyber Security, GDPR, ISO

The Age Appropriate Design Code

Howard Freeman

Howard Freeman

The Children’s Code

The Children’s Code (or Age Appropriate Design Code to give its proper title) is a data protection code of practice for online services. This includes apps, online games, and web and social media sites that are likely to be accessed by children. The Children’s Code is a statutory code of practice under the Data Protection Act 2018 (DPA 2018).

It came into force on 2nd September 2020 and organisations now have twelve months to get everything in place.

Children should be given special treatment when it comes to their personal data and this data protection framework recognises this. The purpose of the code is to translate the text of the law into 15 standards. Online services should ensure they follow these standards in order to comply with the law.

Today, children are treated differently in the real world. This new this new code is designed to ensure they are treated differently in the digital world also.

The aim of the code is to ensure that children have a baseline of protection automatically by design and default, so that they are protected within the digital world rather than being protected from it.

Why do we need a Children’s Code?

Apps, games and websites gather data from the moment a young person opens or visits them. This data can include who’s using the service, how frequently and their location.

Such information may then be used to tailor the advertisements they see. The data is also used to shape the content they are encouraged to engage with or to persuade them to spend more time using services.

For all the benefits digital services can offer children, the industry is not currently creating a safe space for them to learn, explore and play. Therefore, a change in the law is needed.

What needs to change:

Services need to acknowledge that children should be treated differently. One in five people in the UK who use the internet are children, but the internet was not designed with them in mind.

There are laws to protect children in the real world – film ratings, car seats, age restrictions on drinking and smoking. We need laws to protect children in the digital world too and our code seeks to do that.

What does this mean in practice?

When personal data drives the content that children are exposed to, this must be made clear. You must also recognise and act on your responsibilities to protect children’s rights and freedoms. The law compels you to.

In practical terms this includes:

Of course children, and the adults that look after them, can choose to change their default settings, but the code makes sure they get the right information, guidance and advice before they do so, and proper protection in how their data is used afterwards.

What does a statutory code mean?

The Commissioner must take the code into account when considering whether an online service has complied with its data protection obligations under the General Data Protection Regulation (GDPR) or the Privacy and Electronic Communications Regulations 2003 (PECR). In particular, the Commissioner will take the code into account when considering questions of fairness, lawfulness, transparency and accountability under the GDPR, and in the use of her regulatory powers.

The code can also be used as evidence in court proceedings, and the courts must take its provisions into account wherever relevant.

When does the code come into force?

The Age Appropriate Design Code came into force on 2 September 2020 but there is a 12 month transition period. Therefore, organisations will need to conform with it from 2nd September 2021.

What will happen during the transition period?

The ICO will be developing additional resources as part of our package of support to help organisations in making changes to their services.

What happens if relevant services do not conform to the code?

The code is rooted in existing data protection laws (the GDPR and DPA 2018). Services that are likely to be accessed by children and which process their personal data will find it more difficult to demonstrate that processing is fair. They will also need to demonstrate that it complies with the GDPR and PECR. They will find both very difficult if they don’t conform to the code. If services process a child’s personal data in breach of the GDPR or PECR, the ICO can take action. The ICO has a range of regulatory powers including audits, assessments, stop processing orders and fines. These are subject to other applicable laws.

What will happen to the code post-Brexit?

The Age Appropriate Design Code is a requirement of UK data protection law and completed the Parliamentary scrutiny process in July 2020. It will continue to apply post-Brexit.

After Brexit, the code will apply to services established in the EEA who are targeting UK users in the same way as to services established outside the EEA.


Can we help?