ICO’s Children’s Code will help protect children online

A statutory code requiring organisations to provide better online privacy protections for children comes into force today, triggering the start of a 12 month transition period.

The Age Appropriate Design Code or Children’s Code applies to organisations providing online services and products likely to be accessed by children up to age 18, and gives organisations a year to make the necessary changes to put children’s privacy at the heart of their design.

The code sets out 15 standards for designers of online services and products and how they should comply with data protection law. The code will require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website.

The code breaks new ground as regulatory guidance focused on a ‘by design approach’ and is a huge step towards protecting children online, especially given the increased reliance on online services at home during COVID-19.

All the major social media and online services used by children in the UK will need to conform to the code.

Elizabeth Denham, Information Commissioner said:

“A generation from now we will all be astonished that there was ever a time when there wasn’t specific regulation to protect kids online. It will be as normal as putting on a seatbelt.

“This code makes clear that kids are not like adults online, and their data needs greater protections. We want children to be online, learning and playing and experiencing the world, but with the right protections in place.

“We do understand that companies, particularly small businesses, will need support to comply with the code and that’s why we have taken the decision to give businesses a year to prepare, and why we’re offering help and support.”

The regulator is calling on organisations to get in touch to highlight the extra help they may need to understand the new code. Based on their feedback, the ICO is spending the next year developing a tailored package of support to help organisations adapt their online products and services before 2 September 2021.

The code is risk based, which means it does not apply to all organisations in the same way. Those responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services that use, analyse and profile children’s data, are likely to have to do more to conform to the code.

The ICO’s new web hub (link) is a starting point for all those responsible to get the necessary help and support. A series of webinars, held throughout September, will support members of trade associations in the gaming, video streaming, social media and connected toys sectors.

The ICO is also interested in hearing from innovators concentrating on cutting edge personal data projects dealing with the issues posed by the implementation of the Children’s Code. It is inviting organisations to apply for places in its free regulatory Sandbox. The Sandbox is designed to support organisations using personal data to develop innovative products and services and accepts applications from all types of organisations from start-ups, SMEs and large organisations, across private, public and voluntary sectors.

More resources are being added to the ICO’s website over the coming weeks including a toolkit for organisations to help assess whether they need to comply and details of workshops on assessing risk.

The launch of the Age Appropriate Design Code comes during the ICO’s tech month, which highlights how the ICO is working to improve data protection practices in the digital economy. Follow the details on Twitter #icotechmonth.

Notes to Editors

1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
3. The Government included provisions in the Data Protection Act 2018 to create world-leading standards that provide proper safeguards for children when they are online.
4. As part of that, the ICO is required to produce an age-appropriate design code of practice to give guidance to organisations about the privacy standards they should adopt when offering online services and apps that children are likely to access and which will process their personal data. (A link to the Parliamentary debate, led by Baroness Kidron, is here.)
5. The 15 standards in the Code are backed by existing data protection laws which are legally enforceable and regulated by the ICO.
6. The first draft of the code went out to consultation in April 2019. It was informed by initial views and evidence gathered from designers, app developers, academics and civil society. You can read the responses here.
7. The ICO also sought views from parents and children by working with research company Revealing Reality. The findings from that work are here.
8. Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
9. The GDPR and the DPA2018 gave the ICO new strengthened powers.
10. The data protection principles in the GDPR evolved from the original DPA, and set out the main responsibilities for organisations.
11. To report a concern to the ICO, go to ico.org.uk/concerns.