If you operate online services such as apps, games and connected devices likely to be accessed by children, you should be aware of the Age Appropriate Design Code, or 'Children's Code', (Code) issued by the UK data protection regulator, the Information Commissioner's Office or ICO, to govern use of youngsters' personal data. Bear in mind that whilst GDPR allows for teenagers to be considered able to give their own consent, the Code covers all age ranges up to 18 and so many online service providers will be caught. The Code came into force in September 2020, with a 12-month transitional period, and so the clock is ticking for any changes still needed to put suitable safeguards in place
Developing the GDPR requirement for data controllers to consider privacy by design as well as default, the Code requires organisations to account for the needs of children across different age ranges and put their best interests first. For example, is an appropriate privacy policy available using child-friendly wording? Are any profiling or location controls set to 'off' as a default? Is any unnecessary data being collected? The best way to assess the potential pitfalls with any data processing activity is likely to be a data protection impact assessment, or DPIA – and this is mandatory where the Code applies.
The ICO has launched a series of blog posts dedicated to the 15 standards set out within the Code, supplementing its existing range of support materials. To quote a recent blog post:
'A DPIA will help you draw out and document the questions you need to answer in order to conform with the Code. It can also bring cost savings and broader benefits for both children and your organisation. It reassures parents that you protect their children's interests, builds trust in the way you're dealing with children's personal data and your service is appropriate for children to use. It may also help you avoid reputational damage later on.'
Data protection compliance can appear overwhelming, and the Code may seem to add to that burden, but the blog and other ICO resources do help to make compliance more manageable. Rather than putting this off any further, try to take steps towards compliance whilst still within the transition period. Remember to document any decisions made and steps taken to address compliance obligations, in keeping with the GDPR principle of accountability; compliance is crucial but being able to evidence compliance is also important.
Even if you are not intentionally targeting youngsters, the Code will apply where they are considered likely to access your services – and in light of lockdown restrictions online activity has only increased, meaning more providers than ever should bear the Code in mind.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
