ICO publishes Age Appropriate Design Code for online services

ICO publishes Age Appropriate Design Code for online services

Today the ICO published its code which includes a set of 15 standards that online services should meet to protect children’s privacy. The code sets out the standards expected of those responsible for designing, developing or providing online services like apps, social media platforms, online games, educational websites and streaming services. It covers services likely to be accessed by children and which process their data.

The code will require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website, and gives practical guidance on data protection safeguards that ensure online services are appropriate for use by children.

The Government included provisions in the Data Protection Act 2018 to create world-leading standards that provide proper safeguards for children when they are online. As part of that, the ICO is required to produce an age-appropriate design code of practice to give guidance to organisations about the privacy standards they should adopt when offering online services and apps that children are likely to access and which will process their personal data. The standards in the Code were backed by existing data protection laws which are legally enforceable and regulated by the ICO. The regulator has powers to take action against organisations that break the law including tough sanctions like orders to stop processing data and fines of up to £17million or 4% of global turnover.

The first draft of the code went out to consultation in April 2019. It was informed by initial views and evidence gathered from designers, app developers, academics and civil society. The ICO submitted the code to the Secretary of State in November 2019 and it must complete a statutory process before it is laid in Parliament for approval. After that, organisations will have 12 months to update their practices before the code comes into full effect. The ICO expects this to be by Autumn 2021. The next phase of the ICO’s work will include significant engagement with organisations to help them understand the code and prepare for its implementation.

Key points include:

  • Clarification of the need to adopt a risk-based and proportionate approach to age verification
  • Clarification of what services are considered to fall within the code because they are “likely to be accessed by children”
  • Clarified our approach to enforcement as risk-based and proportionate
  • FAQs specific to the media industry
  • The introduction of a 12 month transition period – the maximum allowed.