What is the Code? 

On 2 September 2021, the Information Commissioner’s Office (ICO), introduced the Age Appropriate Design Code (the Code) to keep children safe online. The Code is a data protection code of practice for online services such as apps, online games, and web and social media sites that are likely to be accessed by children. Businesses need to follow the code to process children’s data fairly, ensure they comply with applicable data protection law and to mitigate the risk of fines, which can be as big as 4% of global turnover.

What changes might businesses need to make to comply?

Businesses that provide online services that may be accessed by children should:

  • Ensure that services are designed to be age appropriate and in the best interests of young people;
  • Consider whether the use of data keeps children safe;
  • Implement a high level of privacy;
  • Not implement features that encourage children to share data;
  • Not use location services that track children; and
  • Map any personal data relating to children.

As with any online service that involves high risk processing of personal information, a Data Privacy Impact Assessment (DPIA) must be carried out. In practice, if an online service is likely to be accessed by children, a DPIA is imperative. It will also be important to ensure that compliance with the Code is documented in the DPIA. This should include consulting with children and parents, documenting their views and taking them into account in the design. ICO suggests that this can be done by requesting feedback from existing users, carrying out general public consultations, conducting market research, conducting user testing or contacting children’s rights groups for their views. Businesses should build these requirements into resourcing plans or consider hiring child safety experts to ensure these requirements are met.

Under the Code, online service providers also need to consider the potential impact on children and any physical, emotional, developmental or material harm that their service could cause. Again, this needs to be covered under the DPIA. Specifically, companies must look at whether processing could cause, permit or contribute to the risk of:

  • physical harm;
  • online grooming or other sexual exploitation;
  • social anxiety, self-esteem issues, bullying or peer pressure;
  • access to harmful or inappropriate content;
  • misinformation or undue restriction on information;
  • encouraging excessive risk-taking or unhealthy behaviour;
  • undermining parental authority or responsibility;
  • loss of autonomy or rights (including control over data);
  • compulsive use or attention deficit disorders;
  • excessive screen time;
  • interrupted or inadequate sleep patterns;
  • economic exploitation or unfair commercial pressure; or
  • any other significant economic, social or developmental disadvantage. 

Providers must then consider whether they could make any changes to their service to minimise any identified risks. Additional safeguards may need to be put in place as part of the design, so businesses should ensure that those are properly budgeted for. Youtube, TikTok and Instagram have already taken steps to address the Code, and other online service providers should follow this example. Examples of steps that have been taken so far include:

  • YouTube has turned off its auto-play function for videos aimed at children, meaning children will only be able to watch videos they select;
  • TikTok will stop sending notifications to 13-15 year olds after 21:00, and after 22:00 to 16 and 17 year olds;
  • Instagram already makes it a requirement that users provide their date of birth when opening the app.

Any other legal considerations?

Businesses supplying or purchasing online services should consider incorporating clauses referencing compliance with the Code in data protection clauses or addendums to ensure they are adequately protected from a breach. As with general compliance with data protection law, this is particularly important as the fines for non-compliance are so great. Purchasers of online services will want to ensure that they have sufficient protection in terms of liability from their IS suppliers. A supplier’s uncapped liability would be the most desirable outcome, but at the very least, IS business customers should include a liability cap that adequately reflects the seriousness of the risk, the reputational damage that would ensue from a breach as well as the financial exposure of the potential fine.