1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

ICO Publishes Age Appropriate Design Code of Practice for Online Products and Services accessed by Children

On 21 January 2020, the ICO published the Age Appropriate Design Code of Practice. The Code is available here.

Who does the Code apply to?

  • The Code applies to information society services which are likely to be accessed by under-18s. The ISS does not have to be deliberately directed at children.
  • This includes any online products or services (e.g. apps, programs, websites, games). This also includes Internet of Things (IoT) connected toys and devices – whether with or without a screen.
  • The Code applies to ISS with an establishment in the UK OR those that are outside the UK (but target goods and services to, or monitor children in the UK).

What does the Code say?

The Code sets out 15 headline “standards of age appropriate design”:

  • Best Interests: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
  • Data Protection Impact Assessments: You should undertake a DPIA before launching the product or service to assess and mitigate risks to the rights and freedoms of children.
  • Age Appropriate Application: You should take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing OR apply the standards in this code to all your users instead.
  • Transparency: The privacy information you provide to users must be concise, prominent, and in clear language suited to the age of the child.
  • Detrimental Use of Data: You should not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or Government advice.
  • Policies and Community Standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
  • Default Settings: Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
  • Data Minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
  • Data Sharing: You should not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
  • Geolocation: You should switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others should default back to ‘off’ at the end of each session.
  • Parental Controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.
  • Profiling: You should switch options which use profiling ‘off’ by default (unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
  • Nudge techniques: You should not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections.
  • Connected Toys and Devices (IoT): If you provide a connected toy or device, ensure you include effective tools to enable conformance to this code.
  • Online Tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.

What should businesses do?

There are five steps that businesses should take now to prepare themselves (as set out in the Code):

  • Step 1: Implement an accountability programme
  • Step 2: Have policies to support and demonstrate compliance
  • Step 3: Train staff
  • Step 4: Keep proper records
  • Step 5: Be prepared to demonstrate compliance with the Code 

What happens now?

  • The Code needs to be notified to the European Commission and laid before Parliament (in case there are any objections). This process will likely be concluded in July / August 2020.
  • Businesses will then have 12 months to implement the changes from the date the Code takes effect. Based on the timescales above, we anticipate the Code will take effect around August/September 2021.
  • The ICO will enforce the Code in line with their Regulatory Action Policy and may impose fines under the Privacy and Electronic Communications Regulations (PECR) and/or GDPR, depending on the nature of the breach.
ICO Publishes Age Appropriate Design Code of Practice for Online Products and Services accessed by Children

Brexit and data protection

As over half a million people marched to Westminster this weekend for a People’s Vote – a demand for a second referendum on the eventual Brexit deal – this put me in mind of one essential similarity between the UK referendum-hopefuls (on the one hand) and global Data Protection Officers (on the other): A desire for control over the direction of events following the 29 March 2019. Less than 6 months away from “Brexit Day”, two questions asked daily by our global clients are: How will Brexit affect data transfers to and from the UK? And how best should we prepare?

A Brexit deal is essentially uncertain – ironically for the demonstrators, that uncertainty is only likely to be exacerbated in the short term by any prospect of a further referendum. A transition period covering data flows is similarly moot. The prospect of an adequacy decision is months or even years away, if the pace of progress in the European Commission’s dealings with Japan and South Korea is anything to judge by.

Therefore, rather than crystal-ball gazing at more attractive alternatives, the only sensible approach, in my view, is to prepare now for the absence of a deal on data transfers – the so-called “Hard Brexit” scenario. A “Hard Brexit” for data privacy means the UK becoming, as of the later of 29 March 2019 or the end of a transition period which covers data flows, a “third country” within the meaning of GDPR.

The practical preparations required would include the following:-

  • Territorial Scope Assessment – a global business will already be familiar with exploring whether their non-EEA establishments are caught by Article 3(2) GDPR. A UK establishment will now have to ask themselves the same questions: (i) Are we offering goods or services to data subjects in the EEA? (ii) Are we monitoring the behaviour of data subjects, as far as their behaviour takes place in the EEA?
  • Accountability – if the answer to the territorial scope assessment above is “yes”, then this should be acted upon by the UK establishment. However, if GDPR compliance programmes have been completed, then the UK establishment will be in a strong starting position. The assessment should be documented internally for the benefit of supervisory authorities in the affected Member States. It may also be beneficial for clarity to split away the UK Article 30 Records of Processing caught within extra-territorial scope of GDPR.
  • Appoint a Representative – the UK establishment should, subject to the exceptions in Art 27(2) applying, appoint a representative in writing in one of the Member States affected by the UK establishment’s processing activities. For a business with multiple EEA establishments, another existing establishment may suffice.
  • Data Exports – in the absence of an adequacy decision, for organisations caught by GDPR, one of the safeguards in Article 46 GDPR must be selected for any data transfers to the UK. In many cases these will be the standard contractual clauses approved by the European Commission, although businesses who have Binding Corporate Rules in place may continue to rely on BCRs. Addressing Brexit issues will involve e.g. the review of intra-group agreements governing data transfers to re-badge UK establishments as Data Importers and processor contracts with vendors to ensure that adequate safeguards are in place.
  • Privacy Notices – privacy notices need to set out (where applicable) the fact that a controller intends to transfer personal data to a recipient in a third country as well as the safeguards which are in place. For organisations caught by GDPR, once the “data exports” task above has been completed, a minor redraft of privacy notices to capture the new additional information will need to be completed.
  • Main Establishment – for an organisation caught by GDPR to benefit from the One-Stop-Shop, the “main establishment” will have to be based in a Member State. Where the “main establishment” is currently in the UK, a defensible case may have to be built for why another establishment should be re-designated as the “main establishment” post-Brexit. In some circumstances, it may be that decision-making functions and resources will have to be shifted out of the UK to another establishment.
  • Reliance on Union or Member State Law – in certain circumstances, the GDPR makes provision for legal bases which align to Union or Member State Law. For example, in order to rely upon Article 6(c) or (e) GDPR as a basis for lawful processing. Where processing involves UK establishments they will not be able to claim reliance on UK laws in relation to processing which is caught by extra-territorial scope of GDPR in the same way that a US entity would not be able to rely upon US law. This may involve some creative re-thinking or risk decisions. If anyone is able to solve what I will euphemistically call the “Article 10” dilemma, I welcome answers on a (non-literal) postcard!

For UK establishments, the GDPR will be incorporated into UK law on 29 March 2019 as a result of the European Union (Withdrawal) Act 2018. Therefore, the story will be otherwise largely one of continuity in terms of other areas of the law, including data subject rights, controller and processor obligations and data export arrangements, save for any provisions relating to EDPB and One-Stop-Shop. Which leads me onto…

A Better Alternative for Data Privacy in the UK?

Rather than seek adequacy (or even, adequacy+), there may be a more attractive model for the continuing relationship of the UK with the EU in respect of data transfers.

By result of a Joint Committee Decision (JCD), the GDPR entered into force in the EEA EFTA States of Iceland, Liechtenstein and Norway on 20 July 2018. This enables the supervisory authorities of the EFTA States to participate fully in the one-stop-shop, the consistency mechanism and the European Data Protection Board (EDPB), save for the fact that they are not able to vote or stand for election as chair or deputy chair of the EDPB.

In the event that the UK became an EEA EFTA State, this would (i) enable the UK ICO to remain part of the consistency mechanism and the one-stop-shop (ii) enable the UK ICO, which is well-resourced and has a wealth of experience, to continue to approve and monitor Binding Corporate Rules and have a limited participatory role in the EDPB and, crucially, (iii) avoid all of the legal issues outlined above. From the perspective of data transfers, could this be the best possible ready-beaten path, save for full membership of the EU?

 

Brexit and data protection