ICO issues final text of Age Appropriate design code for online services to keep children safe

What is the purpose of the Code?

 

The ICO has highlighted that currently the only effective mechanism for protecting children from inappropriate content is to avoid allowing them access to online services altogether. In the ICO’s view, this is not realistic in this day and age and can result in children losing the benefits of online play, interaction and development. The purpose of the Code is to protect children from within the digital world as opposed to protecting them from the digital world.

 

When is the Code due to come into force?

 

Now that we have the final text, the Code needs to be approved by Parliament. Once approved, organisations will have a grace period of 12 months to implement the necessary changes. The ICO expects the Code to be fully in effect in Autumn 2021, if not sooner.

 

Does the Code apply to your organisation?

 

The Code states that all information society services (for example, website, apps, social media platforms, search engines and connected toys) which are likely to be accessed by children, will be caught within the scope of the Code.

 

The key question is what the Code means by ‘likely to be accessed by children.’ The criteria is relatively broad and whether your organisation will be caught will depend on:

• the nature and content of the service, and whether that service has a particular appeal for children; and
• the way in which the service is accessed and any measures put in place to prevent children from gaining access.

The Code states that in order for a service to be ‘likely to be accessed by children’, the possibility needs to be more probable than not. This could result in organisations who are not directing their services to children being caught within the scope. Given the relatively onerous provisions of the Code, this is worrying for a number of organisations.

 

Further, it should be noted that a child for the purposes of the Code is a person under 18. Whilst it may be easier to prevent younger children from accessing online services, there is a much larger chance that websites aimed at adults, such as retail or publisher sites, will be likely to be accessed by teenagers.

 

However, despite the potential broad net of the Code, the ICO recognises the fact that compliance will need to be risk-based and proportionate. It has made clear that companies should adopt a common sense approach when considering the application.

 

What are the implications of being caught by the Code?

 

The Code lists 15 standards that organisations whose digital assets are likely to be accessed by children (“in scope organisations”) must meet to be compliant. We have outlined below the key standards which we think are most likely to have an impact on in scope organisations:

 

• Privacy settings on the website should be set ‘high privacy’ by default. This means that if you are an in scope organisation, the default setting on your website should be the highest possible standard. Adults can then elect to lower the standard of protection should they wish, once they have complied with an age verification mechanism. This is likely to have a material cost impact on in scope organisations, not just to implement but also due to the fact that their ability to collect data which they may wish to commercialise at a later date will be affected.

• In scope organisations should make a risk-based assessment to recognise the age of the individuals and effectively apply the Code. The Code gives in scope organisations the option to either verify the age of the individual (a tricky task), or to apply the standards of the Code to all users (potentially an onerous obligation). However, reassuringly, the ICO has recognised that age verification tools are still a developing area and whilst the Code provides some examples which organisations can use (such as self declaration, AI, and third party verification), it has confirmed it will support work to establish clear industry standards. The ICO has also made the point that by applying the standards of the Code to all users, this does not mean that adults should be infantilised, but instead that all users will receive some basic protections on how their personal data is used by default.

• Data sharing should be minimised unless a compelling reason to do so can be demonstrated, taking account of the best interests of the child. The Code suggests that if privacy settings are already set to ‘high privacy’ by default, then data sharing with third parties should already be limited. However, this requirement to minimise data sharing is likely to have a significant commercial impact on organisations who currently share data with third parties for advertising purposes. The Code specifically highlights that commercial gain is unlikely to be considered a compelling reason for such sharing, and compelling reasons will be more akin to safeguarding purposes or for the prevention of crimes against children.

Unless a compelling reason for profiling can be demonstrated, options which use profiling should be turned ‘off’ by default. As mentioned above, commercial gain is unlikely to be considered a compelling reason. Therefore, in most instances online providers will effectively need to obtain consent to profile users (by requiring users to actively switch profiling options ‘on’). Further, if users want to switch profiling ‘on’ then the service provider needs to explain in an age appropriate manner what will happen and encourage them to speak to an adult if they don’t understand. Where a service is using children’s data to recommend content, the Code effectively imposes a duty of care to ensure content is not detrimental to child’s health and well-being. If a service provider does not feel they can ensure this, then they should not be profiling in order to recommend content. This is likely to result in a significant loss for organisations, who will be unable to advertise or otherwise personalise content in the way they currently are. This will also impact the general analytics that in scope organisations can carry out on data in order to measure the success of their service.

 

• Switching geolocation off by default. In scope organisations must ensure that any geolocation setting which is not needed to provide the core service is off by default. There is an exception to this, where an organisation can demonstrate a compelling reason for the geolocation to be switched on by default, taking into account the best interests of the child. However, organisations will need to be able to demonstrate that they have considered their reasoning behind keeping the setting on. It is likely this will have a significant impact generally, as most organisations currently collect geolocation data.

Data protection and practical requirements. The other standards of the Code cover technical measures, such as ensuring nudge techniques are not used to encourage children to weaken their settings and information around parental controls. The standards also cover data protection requirements which echo the GDPR but are highlighted as appropriate for online services likely to be accessed by children, for example, transparency requirements and undertaking DPIAs. The standards as a whole are likely to require organisations to rethink their deployment of online services, encouraging a ‘privacy by design’ perspective.

 

What should you be doing?

 

• Carry out an assessment of whether your organisation will be caught by the Code. We suggest also keeping an eye out for any additional guidance that comes out relating to what is ‘likely to be accessed by children.’ 

• If you don’t want your organisation to be caught by the Code, but you think it could be, you can either:

• Implement a combination of age verification mechanisms that are appropriate for your organisation to restrict access to your digital asset. Again, we recommend you keep an eye out for any additional guidance which is released on age verification tools; or

• Apply the standards of the Code to all users of your digital assets. 

• If you are required to comply with the obligations under the Code, it is important to understand your organisation’s technical capabilities, as well as your internal processes for handling children’s data.

• Carry out DPIAs to consider the risks to children that may arise from your processing of their personal data. The Code includes a DPIA template at Annex D, but essentially you should be considering the types of data you are collecting, the volume of data, the intrusiveness of any profiling you are carrying out, whether decision making or other actions follow from profiling and whether the data is being shared with any third parties. 

Failure to comply with the Code

 

The Code is a statutory code that the ICO must take into account when considering whether an online service has complied with its data protection obligations under the GDPR and PECR. It is important to bear in mind that the Code has been drafted by the ICO, who is the regulator applying data protection law. It would be daring for any organisation to ignore the provisions of the Code, given that it is likely to be the first standard that the ICO (and possibly other EU regulators) or the court would refer to in the event of a complaint relating to this subject. The ICO have said in no uncertain terms that companies that do not make the necessary changes run the risk of regulatory action.

 

The ICO have also publicly stated in their blog that children’s privacy and data sharing are priorities and top of their agenda. For that reason, we would advise taking the contents of this Code very seriously.

 

We expect a large number of organisations to be turning their minds to compliance in this area in the upcoming year, so please feel free to reach out to Lewis Silkin for any assistance with understanding your obligations under the Code.