Thursday, February 20, 2020
On the 21 January 2020 the Information Commissioner’s Office in the UK (the “ICO”) issued the Age Appropriate Design Code (the “Code”) – a code of practice that sets 15 standards that online services should reach in order to protect children’s privacy.
The need for such a code is reflected in this statement from Elizabeth Denham, Information Commissioner:
“A generation from now, I believe we will look back and find it peculiar that online services weren’t always designed with children in mind.
When my grandchildren are grown and have children of their own, the need to keep children safer online will be as second nature as the need to ensure they eat healthily, get a good education or buckle up in the back of a car”.
The Code is aimed at Information Society Service providers (“ISS providers”). A company or organisation will be considered an ISS provider if they provide online products or services that process personal data and are likely to accessed by children in the UK. It is important to note that online products and services include apps, programs, websites, games, community environments, connected toys and devices with or without a screen. It is also important to note that the Code applies to products/services which are likely to be accessed by children – not just those that are aimed at children.
Significantly, all services that constitute an economic activity will be covered – even if the remuneration involved doesn’t come directly from the end-user (e.g. a gaming app that is free to play but is supported by advertising). Services provided by public authorities are not covered by the Code, as they are not provided for remuneration. Further, the Code specifically exempts services such as a children’s counselling or health check-ups from its remit while including more general health or wellness services – such as step counters or fitness trackers.
The Code is also relevant to service providers based outside the UK and will apply to service providers with an establishment in the UK and to those who are based outside the EEA, whose services are offered to users in the UK, or those who monitor the behaviour of users in the UK. The Code applies if that service is likely to be accessed by children. Where the Code applies to data processing but the organisation in question has a lead supervisory authority other than the ICO, then the ICO may ask that supervisory authority to take the Code into account when considering compliance with the GDPR.
The Code was drafted as a statutory code of practice under section 123 of the UK Data Protection Act 2018 (“the DPA”) which sets out that the ICO is obliged to provide a code or codes of conduct which seek to protect the best interests of the child when children engage with ISS.
It is important to note that even though the Code has a statutory basis, under section 127 of the DPA a breach of any of the Code provisions does not in itself make the person or organisation responsible for the breach liable to legal proceedings. However, the code is admissible in evidence.
The Code is yet to be laid before UK Parliament – where it will have to sit for 40 days and will come into effect 21 days after the end of that period (provided there are no amendments required). There will be a further 12-month lead in period to allow ISS providers to conform to changes.
Key points of the Code
The Code sets out guidance on standards of age-appropriate design under the headings of best interests of the child, age-appropriate application, transparency, detrimental use of data, policies and community standards, default settings, data minimisation, data sharing, geolocation, parental controls, profiling, nudge techniques, connected toys and devices, online tools, data protection impact assessments and governance and accountability.
Each heading sets out specific requirements – for example under the geolocation heading location options must be switched off by default, must display a clear sign to the child that location services are active when they are turned on and tracking services must default back to “off” after each session.
Similarly, nudge techniques that encourage children to surrender more data, reduce their privacy protection settings or extend their time of use will be prohibited under the Code.
This obviously creates a significant compliance burden for ISS providers – many ISS providers will need to rebuild their approach to services which are likely to be accessed by children in order to reach the standards set out under the above 15 headings.
Although failure to comply with these standards is not an offence in itself, non-compliance with the standards will result in difficulty proving compliance with the GDPR – meaning that a breach could potentially give rise to fines of up to €20 million or 4% of annual global turnover, whichever is higher.
While there is no date set for when compliance with the Code will be required, it certainly represents a sea change for ISS providers operating in the UK. With that in mind, companies operating in this space would be best advised to begin an immediate review of their services in the context of this code.
ISS providers present in Ireland should take note that while there is no similar code in force in Ireland at the moment, there is potential to introduce one under Section 32 of the Data Protection Act 2018 and Article 40 of the GDPR – and until then it is still possible that Irish based ISS providers could have their processing activities and GDPR compliance reviewed through the lens of the Code (once in force). Any code introduced in Ireland will likely be influenced by the approach taken in the UK. In particular, the DPC has indicated in its Annual Report 2019 that it plans to publish draft guidance on children’s protection in early 2020 and to commence another round of public consultation.