Data protection and children: ICO released final version of the Age Appropriate Design Code

posted on 30 January, 2020   (public)

Ambitious standards at the core of a risk-based approach to take into account the best interests of the child

On 21 January 2020, the UK Information Commissioner’s Office (ICO) has released its final version of the Age Appropriate Design Code which will now be laid before Parliament for approval.

As presented by Elanor McCombe at the 50th EPRA meeting in Athens, this code is the first of its kind and aims at providing guidance to online service providers to comply with the data protection legislation. The standards of the code are rooted in the General Data Protection Regulation (GDPR) and the code was introduced by the UK Data Protection Act 2018. This code seeks to protect children within the digital world, not protect them from it.

  • The Code sets out 15 flexible standards such as the application of high privacy by default settings, data minimisation, profiling and geolocalisation switched off by default.
  • In any case, the best interest of the child should always prevail when designing and developing online services, and an appropriate level of protection must be ensured.

The code will apply to “information society services likely to be accessed by children” in the UK (including apps, programmes, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users).

Following the outcomes of a public consultation in April-May 2019, the final version of the code:

  • reflects a risk-based approach and aims at encouraging the industry by making it accountable.
  • The providers will have to determine the age range of their users, with a level of certainty appropriate to the risks and to the rights and freedoms arising from the data processing, and to tailor the protections standards accordingly.
  • Data protection Impact assessments are more clearly encouraged and a list of methods to establish age with an appropriate level of certainty is provided (self-declaration, artificial intelligence, third party age verification services,…).
  • A 12-month transitional period will apply.

Despite some criticism from the industry, the code is still very broad in its scope of application. It excludes, however, the public authority services and the broadcasting services (except their on-demand services branch). A new part of the code was also added to deal with the consequences of the Brexit.

According to Elizabeth Denham, the UK Information Commissioner, this code is achievable. Even though it is a non-binding instrument, if the organisations do not conform with those standards, they would have difficulties to demonstrate that their services are compliant with the data protection legal framework in case of litigation.

Source: ICO website

Further EPRA Background: At the EPRA meeting in Athens on 24 October, Plenary Session 1 focused on the commmon challenges faced by the NRAs and the DPAs regarding children and their digital content consumption. The session featured a keynote by Prof. Eva Lievens from the Law faculty of Ghent University and Elanor McCombe presented the ICO's draft age appropriate design code.
  • The discussion highlighted that the reference to data processing in the AVMS Directive implies some involvement from audiovisual regulatory authorities. Establishing a dialogue with the DPAs is crucial to determine how audiovisual regulators should be involved. EPRA members were encouraged to contact their counterparts within the Data Protection Authorities.
  • Media and digital Literacy are essential to explain to children the consequences of their online activity - and this could be one focus of the cooperation between audiovisual regulators and DPAs.