The Data Protection Act 2018 required the ICO to produce the Children’s Code (Age-Appropriate Design Code) for providers of Information Society Services (ISS) that process personal data and are likely to be accessed by children. These types of services generally include most online services, even if the ‘remuneration’ or funding of the service doesn’t come directly from the end user. The Information Commissioner states ‘...there are laws to protect children in the real world, we need our laws to protect children in the digital world too...’ This Code would apply to anyone that is likely to access the service under the age of 18 years, even if they are not the intended audience.
Please note: These FAQs have been drafted in accordance with ICO guidance.
- What are the key standards of the Children’s Code?
- Why the Children’s Code is important?
- Who does the Code apply to?
- Does the Children’s Code only apply to UK-based companies?
- Who does the Children’s Code not apply to?
- Who is a child under the Children’s Code?
- Will companies need to know the age of users?
- What do I have to do to conform with the Code?
- What penalties are there for not following the Children’s Code?
- What if you don’t comply?
- What does the UK GDPR say about children’s data?
- Which online services are covered by ICO Children’s Code?
- How does Brexit affect your position on the Children’s Code?
- What are the key issues regarding the Children’s Code and consent?
- Are privacy settings the same as consents?
- Is there an age-limit for consent?
- What changes have TikTok and YouTube made?
- Can a child exercise data protection rights? Can a parent act on the child's behalf?
- When do you need to get parental consent?
- Do businesses need to create data maps around any interactions with children's data?
What are the key standards of the Children’s Code?
The Code sets out 15 standards that online services (likely to be accessed by children in the UK) must meet to ensure that children’s personal data is protected online. This is not a new law, but a set of standards in how the UK GDPR would apply to children using online services.
|1- Best interests of the child||This should be the primary consideration when designing and developing online services that are likely to be accessed by a child.|
|2- Data protection impact assessments||Undertake a Data Protection Impact Assessment (DPIA) to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, arising from your data processing.|
|3- Age appropriate application||You need to take a risk-based approach to recognising the age of individual users and ensure you apply these standards to child users. Either establish age with a level of certainty that is appropriate to the risks, rights and freedoms of children that arise from your data processing or apply these standards to all your users.|
|4- Transparency||The privacy information provided to users, and other published terms, policies and community standards must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how personal date is used at the point that use is activated.|
|5- Detrimental use of data||You shouldn’t use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or Government advice.|
|6- Policies and community standards||You should uphold your own published terms, policies, and community standards (including, but not limited to, privacy policies, age restriction, behaviour rules and content policies).|
|7- Default settings||Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).|
|8- Data minimisation||You should only collect and retain the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.|
|9- Data sharing||Don’t disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.|
|10- Geolocation||Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). Provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.|
|11- Parental controls||If providing parental controls, give the child age-appropriate information regarding this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored or tracked.|
|12- Profiling||Switch options which use profiling ‘off’ by default (unless there’s a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).|
|13- Nudge techniques||Don’t use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.|
|14- Connected toys and devices||Ensure connected toys or devices include effective tools to enable conformance with the Code.|
|15- Online tools||Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.|
Why the Children’s Code is important?
This Code is welcomed as finally online services can conform to a set of key standards for compliance. Children use the internet just as much as adults, probably even more so, this Code would seek to ensure that children are provided with the same rights as adults. This is why privacy notices must be transparent enough for a child to read and understand how their personal data is being collected and processed. Statistics suggest that one in five UK internet users are children, but they are using services that, whilst can be used by them, are not designed for use by them. The Information Commissioner has accepted that the Code will never replace parental control and guidance, but it will certainly let people have greater confidence that their children can safely learn, explore and play online.
Who does the Code apply to?
Section 123 of the Data Protection Act 2018 says that this Code applies to relevant ISS which are likely to be accessed by children. ISS is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. The ICO describes this as including:
- Search engines
- Social media platforms
- Online messaging or internet based voice telephony services
- Online marketplaces
- Content streaming services (e.g. video, music or gaming services)
- Online games
- News or educational websites
- Electronic services for controlling connected toys and other connected devices
- Websites offering other goods or services to users over the internet
To assess whether you come under an ISS, the ICO has published a flowchart that helps you decide whether your business is covered by the Code.
Does the Children’s Code only apply to UK-based companies?
As the Code is issued under the Data Protection Act 2018, this comes under the UK data protection regime and as such, applies to online services based in the UK.
However, due to territorial scope, the following would also be in scope:
- Online services based outside the UK that have a branch, office or other ‘establishment’ in the UK, and process personal data in the context of the activities of that establishment.
- Some other services based outside the UK even if they don’t have an establishment in the UK subject to extra territorial scope.
This means that the Code would apply to UK and non-UK companies that process UK children’s personal data.
Who does the Children’s Code not apply to?
The Code doesn’t apply to public authorities that provide online public services which process personal data for law enforcement purposes. These services do not come under the definition of ISS. The Code also does not apply to counselling or preventive services, for example, health screenings or check-ups, although it would include fitness and well being services.
Who is a child under the Children’s Code?
A child is anyone under the age of 18 years. This is in accordance with the UN Convention on the Rights of the Child (UNCRC). The Code would apply to anyone under the age of 18 that is likely to access any online service.
Will companies need to know the age of users?
Companies need to undertake a DPIA which would consider whether your online service is likely to be accessed by children under the age of 18. Your DPIA should cover children, even if the service is not aimed at them, as it's not always the case that children only access online services that are applicable to them.
You may need to regularly monitor the age of visitors to your website, this would give you an idea of the age range of your users to ensure that you are complying with the Code.
What do I have to do to conform with the Code?
- Data mapping – determine what personal data you are collecting from UK children. Even if you do not believe you are processing any UK children’s personal data, you must document your decision-making process.
- Conduct a DPIA on collecting and processing children’s personal data.
- Monitoring – check what is the age of users that visit your website or have access to your services.
- Geolocation – switch it off so you don’t track where your visitors are.
- Don’t use nudge techniques which leads or encourages children to provide more personal data.
- Have in place high level privacy by default setting.
- Assess whether your company complies with the key standards.
What penalties are there for not following the Children’s Code?
The ICO will monitor conformance to the Code using measures ranging from intelligence gathering, audit or assessment powers, investigation, and regulatory action. The ICO’s policy is that the public interest in protecting children online is a significant factor weighing in the balance when considering the type of regulatory action. The ICO states it will take more severe action against an organisation where there is harm or potential harm to children.
When deciding what type of enforcement action to take, the ICO will consider:
- The size and resources of the organisation concerned
- Availability of technological solutions in the marketplace
- Specific risks to children that are inherent in the processing
- Efforts made to conform to the Code
What if you don’t comply?
Only time will tell, what kind of enforcement action the ICO will take, as this would be dependent on the circumstances and type of breach. What we do know is that any processing of children’s personal data is high risk and processing such data without complying to the Code can only bring ramifications.
What does the UK GDPR say about children’s data?
Article 8 of the UK GDPR considers conditions applicable to a child’s consent in relation to Information Society Services. The UK GDPR also states ‘children merit specific protection regarding their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.’ To comply with the UK GDPR, the ICO has published several checklists to assist online services that process children’s personal data.
Which online services are covered by ICO Children’s Code?
The Code applies to online services that are likely to be accessed by children in the UK. This would include:
- Connected toys and devices
- Search engines
- Social media platforms
- Streaming services
- Online games
- News or educational websites
- websites offering other goods or services over the internet.
You should note that it’s not restricted to services specifically directed at children.
How does Brexit affect your position on the Children’s Code?
It’s important to know whether you are caught by the Code depending on where your business is and whom it serves. The Code doesn’t apply to organisations in the EEA if there is no UK establishment. However, it will apply to non-UK establishments that offer services or monitor behaviour of users in the UK.
What are the key issues regarding the Children’s Code and consent?
You will always need a lawful basis for processing children’s personal data. Consent is one such lawful basis but not always the best option. However, it’s still an option, but only if you can provide children (or parents) an informed choice and control over how you use their personal data. You should be careful where you rely on consent, that the child understands what it is that they are consenting to. It’s necessary to use clear and simple language which alludes to the principle of transparency.
Remember consent must be easy to withdraw as it was to give, the right to erasure of personal data would be relevant here.
You can find examples for each of the six lawful bases in our guide to processing personal data.
Are privacy settings the same as consents?
Not really. Under UK GDPR, consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subjects’ wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The Code states that privacy settings can give children a choice over how their personal data is used. If a particular setting is off by default, the child or parentwould need to activate the processing by changing the default setting which can then be used as part of your mechanism for obtaining consent under the UK GDPR. You will still need to comply with Article 7 and Article 8 of the UK GDPR when doing so, so privacy settings won’t be sufficient on their own.
Is there an age-limit for consent?
The Code stipulates that only a child over the age of 13 years can provide consent. For any child under the age of 13 years, parental consent is required for consent.
What changes have TikTok and YouTube made?
Since the implementation of the Code, both social platform giants have made announcements in changing how they will handle children’s personal data and account information. This follows from Tik Tok being fined £4 million for illegally collecting personal information from children under 13 years in 2019. It seems that failures were still apparent as the Dutch Data Protection Authority fined TikTok 750,000EUR in 2021 for failing to comply with transparency obligations. TikTok have since made changes to safeguard the privacy of children, including only allowing direct messaging for users aged 16 and over. It now allows parents to manage their children’s TikTok account privacy settings from their own phones.
Meanwhile, google has also announced several privacy changes for children who use its YouTube platform. This is intended to give minors 'more control over their digital footprint.’
Videos that are uploaded to YouTube by users under 18 years will be set to private by default, this means that only they can view the content or whomever they choose at first, although the settings can be adjusted if desired.
YouTube will also provide minors with break and bedtime reminders, as well as turning off auto play features. Virtual platforms are full of risk, so it would be interesting how TikTok and YouTube conform with the Code.
Can a child exercise data protection rights? Can a parent act on the child's behalf?
Children have the same rights as an adult in UK GDPR. Data subjects have the right to:
- Be provided with a transparent and clear privacy notice
- Access to their personal data
- Have inaccurate personal data rectified
- Exercise the right to erasure
- Restrict the processing in specified circumstances
- Data portability
- Object to certain processing
- Not be subject to automated individual decision-making, including profiling
They also have rights to remedies and compensation where their data protection rights have been breached.
A child can exercise their data protection rights so long as they are competent to do so. Competency in England and Wales is assessed depending on the child’s level of understanding. However, a child cannot be considered competent if they are acting against their own best interests.
The ICO states that if you have decided that a child is competent enough to provide consent, then it’s reasonable to assume that they are competent to exercise their own data protection rights.
A competent child can also authorise another person, such as a parent, solicitor or representative to act on their behalf.
The ICO further says that parents can exercise these rights on behalf of a child if the child authorises them to do so, when the child does not have sufficient understanding to exercise their rights, or when it is evident that it’s in the best interests of the child.
This applies in all circumstances, including online context where consent was given by a parent rather than the child.
The ICO provides advice when considering borderline cases, which should take into account:
- Where possible, the child’s level of maturity and their ability to make decisions like this.
- The nature of the personal data.
- Any court orders relating to parental access or responsibility that may apply.
- Any duty of confidence owed to the child or young person.
- Any consequences of allowing those with parental responsibility access to exercise the child’s rights. This is particularly important if there have been allegations of abuse or ill treatment.
- Any detriment to the child or young person if individuals with parental responsibility cannot access this information.
- Any views the child or young person has on whether their parents should have access to information about them.
When do you need to get parental consent?
If you offer online services to children based on consent, then you need to obtain parental consent for children under the age of 13 years.
Do businesses need to create data maps around any interactions with children's data?
You need to know:
- Whether you are processing children’s personal data
- Why you are processing children’s personal data
- How you are processing children’s personal data
These are basic questions that you would expect from a DPIA which all businesses must complete and assess in accordance with the Code.
The ICO provides a DPIA template specifically designed to conform to the Code. This is a complex process. However, Harper James has experienced data protection solicitors who are more than happy to prepare this assessment for you and/or to discuss any queries or issues that you may have.