The Information Commissioner's Office (the ICO) has confirmed that its Age Appropriate Design Code, designed to ensure that children's personal data has a baseline of protection automatically by design and default, is now in force from 2 September 2020. Companies providing online services likely to be accessed by children – including apps, connected toys, online games, streaming services, social media platforms and websites offering other goods or services to children over the Internet – have a period of 12 months in which to ensure that they are in compliance with the Code.
The Code applies to "relevant information society services which are likely to be accessed by children" in the UK, further to section 123(1) Data Protection Act 2018, and captures a broad range of services (although it does not change the underlying law). It looks to introduce certain standards to protect children's personal data online. Implementation of the Code could be taken to emphasise the high priority of children's data protection rights for the ICO, although it will be important to note, in due course, whether enforcement action takes place in this area.
The Code contains 15 cumulative and interlinked standards that need to be implemented to ensure services appropriately safeguard and fairly process children's personal data. At the heart of the Code is the general aim of putting the best interests of the child first when service providers are designing, developing and providing services that are likely to be accessed by children. The focus of the Code is on providing default settings that allow children to have the best possible access to online services, whilst minimising personal data collection and use. For further information about the Code, please see our previous article where we discussed more broadly issues around protecting children's personal data and privacy online.
The Code has a transition period of 12 months to allow online service providers time to ensure that they will be compliant. The ICO will also be releasing a package of support to help companies implement the provisions of the Code. The ICO has set out in the Code that it will take a proportionate and responsible approach to enforcement, focussing on areas with the potential for most harm. The ICO has also said that it will take account of the size and resources of the organisation concerned, the availability of technological solutions in the marketplace and the risks to children that are inherent in the processing, when considering any enforcement action.
The implementation of the Code follows the ICO's recent re-opening of its regulatory sandbox, with a focus on children's privacy or data sharing.