Who: The Information Commissioner’s Office (ICO)
Where: United Kingdom
When: 21 January 2020
Law stated as at: 11 February 2020
What happened:
The ICO has published the final version of its Age Appropriate Design Code of Practice for Online Services (the Code).
What is it?
The Code is a statutory code of practice that the ICO was obliged to prepare under the Data Protection Act 2018. It sets privacy standards for designing information society services (in other words websites, apps and connected devices) which are likely to be accessed by children in the UK.
Who does it apply to?
The Code applies to any websites, apps, services or devices which are likely to be used by under 18s, whether or not they are specifically aimed or targeted at under 18s. So for instance a site which uses credit card gating technology or an age verification agency to ensure that all users are over 18 years of age would not need to comply, while a site that is open to, and could feasibly be used by, under 18s would need to comply with the Code.
What does it say?
The Code sets out 15 standards (plus a word on the importance of governance and accountability) to which website, app or service operators must adhere. Please see our previous article, released when the ICO’s consultation document was proposed, for further details of these.
The Code encourages businesses to consider the age ranges of all users of their service when working out what constitutes adequate protection. For instance, an appropriate approach for a website which may be used by 16-17 year olds (as well as adults) would likely be different to that taken for a website being used by 8-9 year olds. This assessment then has a knock-on effect as to how data should be collected and processed, and how transparency obligations can be discharged. For example, it may be more appropriate to describe the impacts of data collection to very young children via cartoons, videos or graphics which will attract and interest them; whereas clear privacy information and a preferences dashboard might be more appropriate for a website only being accessed by late teens.
Importantly, if no assessment is made as to the likely age ranges of users, all aspects of the Code would need to be adhered to. This would mean that the safest option to ensure compliance would be to gear privacy options, controls and information towards the youngest category of user, unless of course parts of the website, app or service are specifically age gated, in which case these should be geared towards the minimum age group that can access the gated areas.
Why this matters:
Once the Code has been approved by Parliament, businesses which are caught by it will have a 12 month implementation period during which they will need to make the appropriate changes to their systems and services in order to comply. It is expected that this period will end in summer / autumn 2021. As such, businesses should start giving thought as to how best to comply. For any new products or services in development, it is advisable to include a specific age-appropriate assessment at an early stage in the design process.
The Code sets out the ICO’s view on what are deemed to be responsible practices when using children’s data, in light of the GDPR. Therefore any failure to comply would make it harder for a business to demonstrate GDPR compliance, and this could lead to the usual eye watering fines of up to €20 million or 4% of annual global turnover.
A link to the full Code can be found here.
