ICO call for evidence on the use of Age Assurance in the Children's Code closes

UK DATA (AND OTHERS)

On 14 October 2021, the ICO launched a call for evidence on the use of Age Assurance in relation to the Children's Code and simultaneously published the accompanying ICO Opinion on Age Assurance for the Children's Code. The call for evidence closed on 4 January 2022.

Key date(s)

• 23 January 2020 – The Children's Code (the "Code"), consisting of fifteen standards, was published.
• 2 September 2021 – The transition period ended and organisations are now required to meet the requirements of the Code.
• 14 October 2021 – The Information Commissioner's Office ("ICO") published its call for evidence on the use of Age Assurance in the Code and published its opinion on Age Assurance for the Code.
• 4 January 2022 – The call for evidence closes.
• September 2022 – The ICO will review its opinion on the application of Age Assurance in the Code as part of its wider review of the Code.

Status

• The UK data protection regime, as set out in the Data Protection Act (the "DPA"), requires a risk-based approach when handling personal data and the Code which is required pursuant to s.123 DPA, provides fifteen standards to inform such approach in relation to children's personal data. Age appropriate application is one such standard and the use of age assurance, and the processing of personal data necessary to its implementation, is regarded as a proportionate way of reducing the risks posed to children online. On 14 October 2021, the ICO launched a call for evidence on the use of age assurance in relation to the Code and simultaneously published the accompanying Opinion on Age Assurance for the Code (the "Opinion").
• The Opinion defines "age assurance" as any approach that provides assurances that children cannot access adult, harmful or inappropriate content when using information society services ("ISS"), alongside any procedure that establishes or estimates a user's age so that effective protections appropriate to their age can be applied by the ISS.
• In practice, common methods of age assurance include age verification, which involves determining a person's age against pre-existing data records, age estimation, whereby AI-based technologies are used to determine whether an individual's age is within a specified range, or account confirmation, where an existing account holder confirms the age of the prospective user.
• The call for evidence closed on 4 January 2022 and the gathered responses will be used to inform the ICO's subsequent approach to age assurance and its later 2022 review of the Opinion.

 What it hopes to achieve 

• The ICO's call for evidence is part of its wider mandate to develop and maintain its knowledge on age assurance technology and keep pace with market developments.
• This specific call for evidence focuses on existing, proposed or novel approaches to age estimation and assurance. Of particular interest are systems where data protection "by design" has been applied in the context of adherence to the Code. In practice, this refers to age assurance systems that incorporate data protection concerns into all aspects of their associated data processing activities.
• Conversely, the publication of the Opinion enables providers of ISS that are in scope of the Code to understand exactly how the ICO expects them to meet the Code's requirements and, in particular, how ISS provider can meet the Code's age-appropriate application standard. Ultimately, organisations are responsible for assessing risk under the Code and for demonstrating effective mitigation strategies to deal with such risks, and the ICO views age assurance as a valuable tool to help organisations protect against such risks.

Who does it impact? 

• The Code applies to providers of ISSs and online products or services including apps, programmes, websites, games or community environments, as well as connected toys or devices (with or without a screen) that process personal data and that are likely to be accessed by children in the UK.
• Providers of online products or services should also be particularly mindful of the Code if they have UK users between the ages of 16 to 18 years old who will now require additional protection, such as appropriately tailored privacy policies.

Key points 

1. DPIA's and age assurance expectations

• • Pursuant to standard 2 of the Code, ISS's likely to be accessed by children must conduct a Data Protection Impact Assessment (DPIA) which includes an assessment of the risks to children arising from their data processing. Whatever level of risk is identified, the Opinion requires organisations to adopt age assurance measures in response.

2. Technology risk assessments

• • Organisations are expected to consider the risks of using certain age assurance technologies such as AI profiling or facial analysis and consequently, issues such as algorithmic bias and inaccuracy must be considered as appropriate. The onus is on organisations to show that their approach to age assurance is lawful, effective and proportionate.

3. Age assurance checks must not be overly intrusive

• • Age verification checks may require access to official documentation which is likely to include special category data and effective safeguards must be put in place to ensure that such data is adequately protected.

4. Age-restricted services
   • Where any services are age-restricted in law, the Code should not be interpreted to produce the perverse outcome whereby such services are made child-friendly. Where such services are concerned, the focus must always be on preventing any access by children.
5. Continued cooperation with Ofcom
   • The ICO will continue to work closely with Ofcom to develop the  Code in recognition of Ofcom's role as UK regulator for video sharing platforms and the future regulator for online safety under the Online Safety Bill.

This blog post provides an overview of a key recent or upcoming development in digital regulation in the UK or EU as part of our horizon scanning timeline which can be found below.

Contacts

VIEW DIGITAL AND REGULATION TIMELINE  +