On 2 September 2020, the ICO's Age Appropriate Design Code (known as the Children's Code) came into force. The Children's Code sets out 15 standards that online services should meet to protect children's privacy whilst online.
The Children's Code is a statutory code of conduct which the Information Commissioner must have regard to when considering whether an online service has complied with its data protection obligations under the GDPR or PECR. In particular, the ICO will take the code into account when considering questions of fairness, lawfulness, transparency and accountability under the GDPR, and in the use of its enforcement powers.
Who does the code apply to?
The code applies to "information society services likely to be accessed by children" in the UK. This includes apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet. It is not restricted to services specifically directed at children.
As the Children's Code specifically references educational websites, education providers will keep to consider whether any of the online services they provide pupils fall within the scope of the Children's Code.
What are the key points to the code?
The Children's Code sets out a number of key points which information society services must take into account when designing and developing online services for children. These are as follows:
- The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by children;
- You must undertake a Data Protection Impact Assessment (DPIA) to assess and mitigate risks to the rights and freedoms of children who are likely to access the service. This should take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code;
- The age range of your audience and the different needs of children at different ages and stages of development should be at the heart of how you design your service and apply this code;
- The privacy information you provide to users must be concise, prominent, and in clear language suited to the age of the child. Additional specific 'bite-sized' explanations about how you use personal data at the point that use is activated should also be provided;
- You must not use children's personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or government advice;
- You must set, and adhere to, your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies);
- Settings must be 'high privacy' by default;
- Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate;
- You must not disclose children's data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child;
- You must switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active;
- If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child's online activity or track their location, provide an obvious sign to the child when they are being monitored;
- You must only permit profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing);
- You must not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections;
- If you provide a connected toy or device, ensure you include effective tools to enable conformance to this code; and
- You must provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
How does the Code impact educational providers?
Where educational providers provide online services to pupils under the age of 18, providers will need to consider whether or not the Code applies to them. In many circumstances, online services may be provided by a third party. In this case, the educational provider should seek assurances from the third party provider that they are reviewing their services in line with the standards set out in the Code and will be fully compliant with the Code by the end of the transition period on 02 September 2021.
Where educational providers design their own online services, they will need to take steps to ensure those online services meet the standards set out in the Code. This may include taking the following practical steps:
- Updating your DPIAs for the online services to demonstrate how the requirements of the Code have been met;
- Reviewing your privacy notices to ensure they are child friendly;
- Reviewing your process for exercising data protection rights to ensure it is age appropriate and child friendly; and
- Reviewing your security and privacy settings to ensure they comply with the standards set out in the Code.
A copy of the Children's Code is available to view here
For more information contact Bethany Paliga in our Governance, Procurement & Information department
via email or phone on 01254 222347.
Alternatively send any question through to Forbes Solicitors via our online Contact Form.