The ICO's Children’s Code (or Age Appropriate Design Code)

Sep 24, 2020


The data protection code to protect children’s rights and freedoms within the digital world

This statutory code of practice will lead to changes that will help to empower both adults and children.

“Today’s children are the first to be datafied from birth and internet giants and toy-makers need to be more transparent about the data they are collecting on children. The ‘Who Knows What About Me?’report from the Children’s Commissioner for England, Anne Longfield

“When personal data drives the content that children are exposed to, this must be made clear and you must recognise and act on your responsibilities to protect children’s rights and freedoms.... Conforming to this statutory code of practice will ensure as an organisation providing online services likely to be accessed by children in the UK, you take into account the best interests of the child. UK Information Commissioner, Elizabeth Denham CBE

This code addresses how to design data protection safeguards into online services to ensure they are appropriate for use by, and meet the development needs of children

Organisations should conform to the code and demonstrate that their services use children’s data fairly and in compliance with UK data protection law. This code expects providers of these services to take responsibility for ensuring that the way their services use personal data is appropriate to the child’s age, takes account of their best interests, and respects their rights; as well as supporting parents or older children in making choices (where appropriate) in the child’s best interests.

The ICO says: we will take this code into account, along with other relevant legislation, when considering whether you have compiled with the GDPR or PECR”.

Organisations should conform by 2 September 2021.

This code is for providers of “information society services likely to be accessed by children” in the UK

‘Information society service’ is defined as:

Any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. Essentially this means that most online services are ISS, including apps, programs and many websites including search engines, social media platforms, online messaging services, online marketplaces, content steaming services (e.g. video, music or gaming services), online games, news or educational websites, and any websites offering other goods and services to users over the internet, electronic services for controlling connected toys and other connected devices are also ISS.

Counselling and preventive services are excluded.

The code applies to all children under 18 in line with the convention of the rights of the child (UNCRC).

Best interests of the child

Concept from The United Nations Convention on the Rights of the Child (UNCRC)

The key principle in the code is that the best interests of the child must be a primary consideration when designing online services, and a theme that runs throughout the provisions of this code.

The ICO says “considering the best interests of the child should form part of your compliance with the lawfulness, fairness and transparency principle”.

The best interests of the child provide an important framework that helps organisations to understand the needs of children and the rights from the outset when designing and developing your processing activities and where any conflicts arise.

Children merit section protection under the GDPR Recital 38 makes clear “Children merit specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.

The ICO also clarifies that any marketing to children under the GDPR must be fair and not exploit the vulnerability of children. The ICO also notes that it may be inappropriate to collect and use profiles of children, including make inferences based on their personal data, or processing geo-location data.

Any use of data where harm or potential harm has shown to be detrimental to children’s physical or mental health and wellbeing is prohibited. The code refers to compliance with sector specific codes such as The Committee of Advertising Practice (CAP) Code and the Office Fair Trading (OFT) guidance for online games, other regulatory provisions or Government advice.

The code also makes it clear that data-driven ‘sticky’ features designed to make it difficult for children to disengage with your service is restricted.

A high level of privacy by design and by default

Standards of age appropriate design

The code sets out 15 standards of age appropriate design intended as a set of technology-neutral design principles and practical privacy features. A risk-based approach should be taken to develop services which conform to the standards in your own way as such that different services require different technical solutions.

Data minimisation, default settings, limited data sharing and profiling, and nudging

Only the minimum amount of personal data should be collected and retained to provide the service.

Children must be given choices over any processing which is beyond the provision of your core service. This means that you must consider each feature of your site or service independently of one another when establishing on which basis you may or may not collect personal data from children.

In order to give children control over when and how their personal data is used, you should provide privacy settings for any processing that is needed to provide additional elements or service enhancement.

Settings must be ‘high privacy’ by default; geolocation should be switched off by default unless there is a compelling reason to allow it and provide an obvious sign for children when location tracking is active; switch options for profiling ‘off’ by default unless there is a compelling reason to allow it.

Children’s data should not be shared or accessible to anyone else including sharing of personal data with third parties or with other parts of your own organisation unless you can develop a compelling interest, taking account of the best interests of the child.

Nudge techniques should not be used to encourage children to provide unnecessary personal data, weaken or turn off their privacy settings.

Privacy information addressed to children must be child-friendly and age appropriate

Child-friendly presentation

Clear privacy information including the nature of the service (such as terms & conditions or policies and standards) must be concise and easy for children at different development stages to understand. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.

For very young children, information will need to be aimed at parents. If you provide parental controls, this could mean from 0 – 5 provide audio or video materials for the child to explain that their parent is being told what they do online to help keep them safe.

Tailor information to age of child

The code divides children into 5 age ranges and development stages – 0 – 5 (pre-literate and early literacy); 6 – 9 (core primary school years); 10-12 (transition years); 13-15 (early teens); 16-17 (approaching adulthood). It provides guidance in an appendix for different age ranges.

The GDPR and DPA 2018 also specify that if you rely on consent for any aspects of your online service, consent needs to be provided by the holder of parental responsibility for children under 13. If you get consent from someone with parental responsibility you need to ensure that the child knows that they can withdraw that consent once they reach the point at which they do have a suitable understanding.

Give children prominent, accessible and effective tools

Connected toys and devices

These are children’s toys and devices which collects personal data and transmits it via the internet. The code recommends features that make it clear to the child or their parent when you are collecting personal data. For example, a light that switches on when the device is audio recording.

Organisations must ensure that the product incorporate adequate security measures to mitigate risks such as unauthorised access to data, or ‘hacking’ of the device in order to communicate with the child (e.g. taking over microphone capabilities) or track their location. Additionally, if devices are likely to be shared, then they should be designed so that multiple users of different ages can have different settings and is suitable for use by all children.

The ICO warns organisations that you cannot absolves yourself of your data protection obligations by outsourcing the ‘connected’ element of your toy or device to someone else.

Make your online tools prominent

Provide children easy-to-use and accessible tools to allow children to exercise their data rights and report concerns. Safeguarding issues should be prioritised so that immediate action can be taken.

Use clear and easily identifiable icon(s) such as links or buttons in a prominent way. Tools should be age appropriate and should also consider appropriate parental controls.

Start preparing for the code

Organisations that do not make the required changes risk regulatory action.

  • Comply with the GDPR’s main principles
  • Do (or redo) data protection impact assessments
  • Be ready to demonstrate compliance
  • Appoint a data protection officer if you need one

If you need advice and guidance with the code, please get in touch with one of our experts.

Contact Us

If you want to discover how you could do more with
your data, get in touch with Xynics.

Get In Touch