On 2 September 2020, the Information Commissioners Office (ICO), Age Appropriate Design Code (the Code), a statutory code of practice, came into force with a transitional period of one year to allow businesses time to consider its effects and prepare accordingly.
Now that this transitional period has ended, what impact has the Age Appropriate Design Code had on the online environment and how can businesses take steps toward compliance?
What is the Age Appropriate Design Code?
With approximately 20% of internet users being children and a significant rise in the number of services accessed online during the COVID-19 pandemic, the Age Appropriate Design Code introduces 15 standards that aim to provide greater levels of protection to children who use the internet, whilst assisting businesses in designing services that comply with the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR).
Who does the Age Appropriate Design Code apply to?
The Age Appropriate Design Code has a wide reach and significantly, it defines the term ‘child’ as anyone under the age of 18, marking a departure from the previous regime under which additional protections such as these, were only applicable to those under the age of 13.
When coupled with the fact that the ICO guidance stipulates that the Code applies to “information society services likely to be accessed by children” and defines the term Information Society Service (ISS) as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”, the broad scope of the Code becomes clear.
Additionally, the ICO explicitly states that where websites are provided on a commercial basis, such as those being funded via advertising revenue instead of direct payment from the end user, they will fall within the remit of the code.
Consequently, the Age Appropriate Design Code will be applicable to a vast range of services including online games, news and educational websites, streaming services and social media platforms and not-for-profit websites provided on a commercial basis, among others.
Does the code only apply to UK-based companies?
The new Age Appropriate Design Code applies to UK-based companies and non-UK companies that process the personal data of UK children.
What are the standards?
The 15 standards contained in the Age Appropriate Design Code are also broad in scope and include the following:
- A requirement to complete tailored Data Protection Impact Assessments that consider differing ages, capacities and development needs (standard 2).
- The requirement that privacy information, policies and other guidelines such as community standards are written in clear and intelligible language appropriate to the age of children who may use the service (Standard 4).
- A prohibition on the use of nudge techniques designed to encourage children to weaken privacy protections or provide personal data that is unnecessary (Standard 13).
- An obligation for high privacy settings to be turned on, and geolocation and profiling options to be turned off, by default (standards 7, 10 and 12 respectively); and
- A requirement for the child user to be provided with age appropriate information about parental controls that may be used on the platform (standard 11).
Some of the requirements implemented by the standards will look familiar to those contained in the GDPR, such as the requirement for DPIA’s to be carried out and privacy policies to be written in clear, intelligible language. However, it is important to distinguish that previous compliance is likely to have been tailored toward an adult audience whereas the Code specifically relates to children that are likely to use the services provided by you.
What are the potential penalties for non-compliance?
Should the ICO consider that an organisation is not conforming to the Code, it will have the ability to levy the same penalties as it can under the GDPR, including assessment notices, warnings, reprimands, enforcement notices, requirements to take steps to bring operations into line with the GDPR and penalty notices which can be a fine of up to £17.5 million or 4% of annual global turnover.
It is also worth bearing in mind that should businesses not conform to the code, they will likely encounter greater difficulty in demonstrating to the ICO that they are GDPR and PECR compliant and the possibility of the breach being considered serious is likely to increase accordingly.
What has changed?
Numerous well-known organisations have made amendments to their platforms in order to better protect children in recent months, including technology giant Google and social media website Instagram.
Google have announced that it will block ad-targeting based on gender, interests and age for under 18s, whilst Instagram has included privacy by default for all account holders under the age of 16, as well as taking steps to improve algorithms to protect users in this age bracket against strangers trying to follow and message them.
The ICO has also referred to the global influence of the Age Appropriate Design Code with members of the US Senate and Congress encouraging the adoption of the standards of the Code, particularly for US technology and gaming companies, on a voluntary basis. It also reported that Ireland is in the process of introducing a similar form of protection which the ICO says “links closely to the code and follows similar core principles”.
Recommended next steps
With the deadline having now passed, it is important to carry out a review of the services provided by your business to ascertain whether it would fall within the wide scope of the Age Appropriate Design Code in a timely manner.
If necessary, a DPIA should be carried out and a roadmap for how the 15 standards will be implemented should be drawn up with the implementation stage and any subsequent additional measures required to demonstrate your compliance with the Code taking place as soon as possible.
It is of particular importance that the decision making process and the measures taken to achieve compliance are documented as, within their guidance, the ICO specifies that efforts to conform to the code will be taken into account when considering enforcement action. Therefore, the ability to show how you have done so, will undoubtedly be beneficial.
Should you require any assistance in addressing the introduction of the Age Appropriate Design Code, then please contact Peter Kouwenberg, an Associate Solicitor in the Corporate and Commercial team, here at Taylor Walton, who can be contacted on 01582 390411 or by email at email@example.com.
Authors: Peter Kouwenberg, Associate Solicitor and James Davey, Trainee Solicitor.