The Children’s Code has been designed by the ICO to protect children ‘within’ the Digital World, rather than ‘from’ it
The ICO have just released a data protection Children’s Code (or Age Appropriate Design Code in full) that outlines an organisation’s responsibility for its online practices with regard to children.
The code will cover apps, online games, platforms, websites, social media sites or anything else likely to be accessed by a child.
It came into force on the 02nd Sep this year and organisations now have twelve months to make sure they’re fully compliant with the new code.
Here’s what you need to know and what you’ll need to do to make sure your organisation is ‘up to code’…
The Age Appropriate Design Code, otherwise known as the children’s code, is a new statutory code of practice that falls under the General Data Protection Regulations.
It’s there to recognise the fact that children should be given extra consideration around their personal data, whilst helping organisations understand what is and will be expected of them.
The ICO has ‘translated’ what the law says into fifteen standards that any and all organisations providing online services should follow to remain compliant within the law.
Following the principal of Privacy First, the code is there to ensure children have a baseline of protection automatically by default and design to ensure they’re protected within the digital world, not from it.
Any organisation that isn’t fully compliant within the code by September ’21 could face penalties from the ICO such as compulsory audits, orders to stop the processing of personal information and fines of up to 4% of their global turnover!
Most, if not all modern apps, games and websites will start collecting data on their users the moment someone opens/visits them.
That data can then be used to tailor what advertisements a child might see, shape how they’re encouraged to engage with the app/site or even in how they’re ‘persuaded’ to spend more time using an organisations services.
Whilst the digital world can offer truly awesome experiences for younger users to learn and enjoy themselves, it was felt that not enough was being done to create a space within the digital world for children to explore and grow safely.
Service and platform providers will need to acknowledge within their GDPR compliance that children must be treated differently to their adult users.
In the UK, children make up 20% of internet users… even though it was never designed for them or with their needs in mind.
Take the ‘real world’ for instance.
There’s plenty of laws protecting children… car seats, film and game ratings, drinking and smoking age restrictions… The Age Appropriate Design Code just follows that thought process through to it’s logical conclusion by adding those same protections to the digital world.
In real terms that means organisations will need to make it clear when a child’s personal data is being used to drive the content they’re seeing/experiencing, whilst recognising and protecting a child’s right to privacy.
The law will compel organisations to:
Children, or their parents/adult supervisors can, of course, change these settings but they need to be there by default, as set out in the Children’s Code.
Organisations, to remain GDPR and Children’s Code compliant, will be expected to:
For organisations with high Data Protection standards forming the root of their processing, the Children’s Code should not cause any major problems. As with all Data Protection matters, however, organisations must ultimately be able to demonstrate their accountability i.e. that the risks have been considered, steps have been taken, and that the steps taken are justifiable according to the risks as assessed by that organisation.
It already is!
The Age Appropriate Design Code/Children’s Code come into force on the 02nd September 2020, however the ICO have allowed for a twelve-month grace period for organisations to become compliant… by the 02nd September 2021.
Remember getting compliant for GDPR back in May of ’18?
The Children’s Code is rooted within GDPR and DPA legislation that the ICO is already enforcing.
Any organisation asked to demonstrate their compliance to GDPR or PECR (Privacy and Electronics Communications Regulations) that operate services accessed by children will struggle to show compliance if the Children’s Code hasn’t also been considered within their data protection policies.
As a worst-case scenario, should the ICO get involved your organisation could be looking at audits, assessments, stop processing orders and fines of up to 4% of your global turnover…. The ICO is taking this seriously and so should you!
The Children’s Code will define anyone under the age of 18 as a child for the purposes of compliance.
Many websites in the UK have, up until now ‘thought’ of children as those being under the age of 13, often citing Article 8 of GDPR.
However, this misconception has always been such… a misconception, and is now clarified in the Children’s Code.
Article 8 of GDPR sets out when a child becomes old enough to provide consent to the processing of their own data, but it’s never set the age of a child as 13.
Data Protection regulations haven’t changed, the Children’s Code will just refocus specific attention on those under 18 years of age.
Everything within the new code links back to existing provisions within GDPR, it just also adds another level of complexity on what the ICO Commissioner will expect of organisations when dealing with children, in order to remain GDPR compliant.
The Children’s Code will apply to any and all organisations offering ‘Information Society Services’ that are likely to be accessed by children within the UK.
Basically, it won’t matter if your app, game, device, search engine, social platform or website is specifically targeted at children or not. If there’s a possibility a child could use it then the Children’s Code will kick in.
The ICO have also confirmed their default position will be to expect most online services to fall under the Children’s Code.
The Children’s Code will apply to all UK organisations and companies.
It will also apply to any Non-UK organisations with offices, branches or establishments in the UK that process children’s personal data in the context of the activities of that office.
It will also affect any organisations based outside of the EEA, even those without offices in the UK, if they offer services to UK end users (or monitor UK users/collect data on UK users) and are likely to be accessed by children.
We’re currently in the twelve-month grace period to prepare for the new Children’s Code.
After that expires (02nd Sep 2021) the ICO will investigate anywhere they’ve concerns for the digital welfare of children, starting with areas with the highest risk of harm.
They’ll also actively be investigating complaints made by parents, teachers, carers, or other adults that have identified possible breaches.
As with their GDPR investigations, the response they take is designed to be proportionate and risk-based but, should they find an organisation showing a blatant disregard for children’s privacy, as already mentioned, fines of up to 4% of global turnover could be applied.
A wide one!
The United Nations Convention on the Rights of the Child states:
The UNCRC incorporates provisions aimed at supporting the child’s needs for safety, health, wellbeing, family relationships, physical, psychological and emotional development, identity, freedom of expression, privacy and agency to form their own views and have them heard. Put simply, the best interests of the child are whatever is best for that individual child.
This will be used in conjunction with:
Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing…
To make sure your organisation is able to effectively apply the standard ‘the best interest of the child’ the ICO suggests you consider the specific needs of your child users that to your platform or service and how you can best support those in your design and implementation processes.
The ICO have confirmed they’re not interested in seeing an age-gated internet.
What they want instead is a fundamental shift of how organisations approach the collection and processing of children’s private information, in which the processing of data from apps, websites and platforms takes a child-centric approach, building in relevant privacy protection from the beginning, rather than trying to add it on as an afterthought.
In short… as long as your privacy standards are set high enough as per the Children’s Code, you shouldn’t need to know the age of your users.
If, however, you decide not to go down that route you will need to establish age.
The ICO have set out several appropriate ways for organisations to do this within the Children’s Code:
There’s nothing set out in the Children’s Code that prevents data minimisation.
Data minimisation isn’t there to stop organisations collecting personal data. If you need to ask the age of a user to verify if they’re a child or not then this is wholly compliant with data minimisation which states you should only collect data you actually need for a specific purpose.
The ICO is well aware that no age assurance technique is 100% infallible, so don’t worry too much on this point.
If a complaint were made or your organisation came to the attention of the ICO through some other means then they’d look at whether the age assurance measures your organisation had put in place were stringent enough given the risk of children lying.
In layman’s terms… Has your organisation done enough to try and verify the age of its users and ensure that the personal data of children will be processed in accordance with the Children’s Code?
If you're worried about how the Children's Code might affect your organisation why not speak with one of cloudThing's Privacy-by-Design experts...