Organisations must meet the fifteen standards of the Information Commissioner’s Office Children’s Code to ensure that children’s data is protected online

UK (AND OTHERS) - DATA

With less than six months until 2 September 2021 when conformity with the Children's Code is required, the ICO has urged all organisations and businesses to make the necessary changes to their online services and products.  These new standards aim to allow children to more safely explore the digital environment.

Key date(s)

• 22 November 2019 – Deriving from a statutory requirement under the Data Protection Act 2018 (“DPA”), and following detailed consultation, the Information Commissioner’s Office (“ICO”) submitted its Age-Appropriate Design Code of Practice (“Children’s Code”) to the UK Government.
• 23 January 2020 – The Children’s Code was published, subsisting of fifteen standards.
• 11 June 2020 – The UK Government put the Children’s Code before Parliament.
• 2 September 2020 – The Children’s Code came into force, with a twelve month transition period for organisations to comply.
• 2 September 2021 – The transition period ends and organisations will need to meet the requirements of the Children’s Code.

Status

• The UK data protection regime detailed by the DPA requires a risk-based approach when handling personal data and the Children’s Code, required pursuant to s.123 DPA, provides standards to inform such approach regarding children’s personal data.
• Following a public consultation with parents, children, schools, children’s campaign groups, developers, gaming companies, online service providers, and other stakeholders which closed on 31 May 2019, the ICO submitted the Children’s Code to the Government for consideration. The Children’s Code was then published on 23 January 2020 (following a delay due to restrictions brought about by the election process).
• After being submitted to Parliament for scrutiny in June 2020 in accordance with s.125 DPA, the Children’s Code came into force on 2 September 2020, with a twelve month transition period ending on 2 September 2021 by which time organisations will need to ensure that their operations satisfy the requirements of the Children’s Code.
• With less than six months until 2 September 2021 when conformity is required, the ICO has urged all organisations and businesses to make the necessary changes to their online services and products. The Information Commissioner, Elizabeth Denham, has also announced that “there is plenty still to be done, both by my office in supporting organisations, and in businesses stepping up to make the necessary changes”.
• In the background, the ICO has been holding various webinars with online sectors to raise awareness of the code, but are also keen to understand if any organisations or businesses are encountering any challenges with compliance with the Children’s Code, so that the ICO are able to provide further tailored guidance and support.

 What it hopes to achieve 

• The Children’s Code looks to address concern regarding children’s safety and exploitation of their data online and allow them to safely explore the digital environment.
• As well as providing age-appropriate design standards for relevant online services which are likely to be accessed by children, the Children’s Code provides various practical measures and safeguards to ensure that any processing of children’s data under the DPA, General Data Protection Regulation, or Privacy and Electronic Communications Regulations are fair, lawful, transparent, and accountable in the context of online risks to children.
• Specifically the Children’s Code sets out 15 standards which organisations must meet (detailed in the ‘Links’ section). These standards are not intended to be technical standards, but are a set of technology-neutral design principles and practical privacy features.
• When drafting the Children’s Code, the ICO also considered the UK’s obligations under the United Nations Convention on the Rights of the Child (the “UNCRC”). The Children’s Code therefore incorporates a key principle from the UNCRC that the best interests of the child should be the primary consideration in all actions concerning children.

Who does it impact? 

• The Children’s Code applies to providers of information society services and online products or services including apps, programmes, websites, games or community environments, as well as connected toys or devices (with or without a screen) that process personal data and that are likely to be accessed by children in the UK.
• Providers of online products or services should also be particularly mindful of the Children’s Code if they have UK users between the ages of 16 to 18 years old who will now require additional protection, such as appropriately tailored privacy policies.

Key points 

1. Child-friendly privacy disclosures

• • As soon as a child activates the use of their personal data online, the child should be provided with a “bite-sized” explanation (either in writing, or as a cartoon, graphic, video etc. depending on their age) of how their personal data is going to be used

2. Parental controls

• • As soon as a child activates the use of their personal data online, the child should be provided with a “bite-sized” explanation (either in writing, or as a cartoon, graphic, video etc. depending on their age) of how their personal data is going to be used.

3. Promote the welfare of the child

• • If parental controls (such as online monitoring or tracking of a child) are provided, then the child should be given age appropriate information (and warning such as a lit up icon) to let them know that parental controls are in place. Parents should also be provided with information about their child’s right to privacy under the UNCRC.

4. Use “nudging” in the child’s best interest
   • Nudging is when the child may have two options, and one option is presented far more prominently than the second option. This should not be used to lead children to make poor data privacy decisions but could be used instead to promote positive health and wellbeing decisions such as pausing a game for a break
5. Consult with children and parents
   • The ICO expects larger organisations to undertake some form of consultation whether that is through feedback from existing users or carrying out general market research. If this is not completed, a justification will need to be prepared.

This blog post provides an overview of a key recent or upcoming development in digital regulation in the UK or EU as part of our horizon scanning timeline which can be found below.

Contacts

VIEW DIGITAL AND REGULATION TIMELINE  +