• news-banner

    Expert Insights

Age Appropriate Design Code - Are You Ready?

A brief reminder that there are six months left to comply with the Children’s Code and the ICO has issued an appeal for transparency champions.

Background

The Age Appropriate Design Code (Children's Code), which came into force on 2 September 2020 aims to help ensure that children’s privacy is protected online. The Children’s Code allowed for a 12 month transition period, meaning that organisations have until 2 September 2021 to ensure their compliance.

The Information Commissioner’s Office (ICO) recently undertook research into whether organisations are prepared and suggested that many are in the preparation phase. The initial findings were published on 2 March 2021, together with a reminder that there are only six months left to make changes to align your online services, operations and products with the Children’s Code. The full findings will be published in a few months’ time.

When does the Children’s Code apply?

The Children’s Code applies to “information society services likely to be accessed by children” in the UK. The ICO has noted that this includes many apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet.

This will have a significant impact on website design and organisations may need to make substantial design and operational changes to existing sites. Importantly, it is not restricted to services specifically directed at children but those used by children.

Standards of Age Appropriate Design

The standards are, in summary:

  • Best interests of the child – website design and development should have the best interests of the child in mind.
  • Data protection impact assessments – assess and mitigate risks to the rights and freedoms of children who are likely to access the service, which arise from data processing. Consider ages, capacities and development needs.
  • Age appropriate application – risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Consider ways of establishing the age of the users or otherwise apply the standards to all users.
  • Transparency –privacy information and any other terms you provide must be easy to read and understand for the appropriate age group. Consider policies and notices drafted specifically for children and provide additional specific ‘bite-sized’ explanations at the point of use of their personal data. The aim is for children to easily understand how, when and why services use their data.
  • Detrimental use of data – do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
  • Policies and community standards –uphold your own published terms, policies and community standards (e.g. age restrictions and content policies).
  • Default settings –unless there is a compelling reason not to, website default settings must be ‘high privacy’ by design.
  • Data minimisation –only collect and retain the minimum amount of personal data needed to provide the elements of the service used by children. Offer children choices over which elements they wish to activate.
  • Data sharing – unless there is a compelling reason to do so, do not disclose children’s data.
  • Location tracking turned off –unless there is a compelling reason not to, geolocation options should be off by default. Provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.
  • Parental controls – give child age appropriate information about parental controls being used, where applicable. Provide an obvious sign to the child if and when they are being monitored.
  • Profiling turned off –unless there is a compelling reason not to, options which use profiling should be off by default. Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (e.g. don’t feed content that is detrimental to their health or wellbeing).
  • Nudge techniques – do not use techniques aimed at encouraging children to provide unnecessary personal data.
  • Connected toys and devices –if you provide a connected toy or device ensure you include effective tools to enable conformance to the Children’s Code
  • Online tools – provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
Transparency Champions

In addition to the reminder issued about compliance, the ICO has also opened a consultation calling for organisations to become so-called transparency champions. The consultation is open to anyone who is committed to designing projects using privacy information in ways that are easy for children to engage with, or has ideas or examples of privacy designs that meet the Children’s Code transparency standard.

The ICO would “like to hear from online services, children’s rights advocates, designers, academics and anyone else working to deliver our vision to place the best interests of children at the heart of the online world” and invite participants to submit ideas before 23.00 pm on Friday 30 April 2021.

In addition to consulting the market, the ICO is using feedback from organisations and sector-specific events and discussions, to assess whether there are further requirements for tailored guidance and support, to supplement existing resources on the Children’s Code.

Ensuring Trust in Innovation

Elizabeth Denham (ICO) spoke at the Oxford Internet Institute on 3 March 2021 and two particular comments highlight the importance of organisations’ compliance with the Children’s Code and the transformative impact it is likely to have:

The Code is an important piece of work in protecting children. In the coming decade, I believe children’s codes will be adopted by a great number of jurisdictions and we will look back and find it astonishing that there was ever a time that children did not have these mandated protections.”

“There is a more fundamental point here too: if we have a generation who grow up seeing digital services misuse their personal data, what does that do to their trust in innovation in the future?”

The Children's Code will be the first of its kind and is expected to become an international benchmark.

Our thinking

  • Ctrl + GCC: The Rise of e-Sports in the Gulf

    Mark Hill

    Quick Reads

  • Digital Markets, Competition and Consumers Bill: Will new consumer protection rules restrict access to Gift Aid?

    Verity Heath

    Quick Reads

  • Radical reforms to fight economic crime: what should businesses do now?

    Rhys Novak

    Insights

  • Arbitration Rules – How Different Are They?

    Mazin Al Mardhi

    Insights

  • Caroline Swain writes for Startups Magazine on 'Green Claims'

    Caroline Swain

    In the Press

  • Caroline Swain writes for Fashion Capital on the EU’s new legal framework on textiles

    Caroline Swain

    In the Press

  • The End of the SAG-AFTRA Strike & What it Means for the Middle East

    Mark Hill

    Quick Reads

  • Tech Monitor quotes Gareth Mills on the CMA restricting Meta from using certain customer data

    Gareth Mills

    In the Press

  • UAE Strengthens its Position as Leading Destination for A.I.

    Mark Hill

    Quick Reads

  • Dubai Court of Cassation Extends Arbitration Agreement Across Subsequent Contracts

    Peter Smith

    Quick Reads

  • The rise in ESG reporting requirements for UK directors and of related shareholder activism

    Stephen Burns

    Insights

  • Top 5 tips for businesses to mitigate legal and regulatory risks associated with AI

    Janine Regan

    Insights

  • Private Mergers & Acquisitions in the United Arab Emirates

    William Reichert

    Insights

  • Jamie Cartwright writes for FoodBev Media on 'greedflation'

    Jamie Cartwright

    In the Press

  • UAE Polishes Federal Arbitration Law

    Peter Smith

    Quick Reads

  • Drone deliveries: Be Prepared

    Emma Humphreys

    Quick Reads

  • Charles Russell Speechlys expands commercial offering with the appointment of Rebecca Steer

    Rebecca Steer

    News

  • The Times quotes Gareth Mills on the CMA’s preliminary approval of the Activision Blizzard-Microsoft deal

    Gareth Mills

    In the Press

  • City AM quotes Gareth Mills on the CMA’s new set of principles for regulating AI

    Gareth Mills

    In the Press

  • Silicon quotes Gareth Mills on the UK consumer lawsuit against Google

    Gareth Mills

    In the Press

  • Bloomberg and The Washington Post quote Richard Davies on multiclub ownership in world sports

    Richard Davies

    In the Press

  • Product compliance and Brexit - UK Government concedes to CE markings indefinite recognition

    Jamie Cartwright

    Quick Reads

  • UAE and the Grey List: Brief Update

    Karl Masi

    Insights

  • A Summer of Sport - Top 5 Legal Considerations

    Anna Sowerby

    Insights

  • Has the Orpéa plan impaired shareholder's consent? - Le plan de sauvegarde d'Orpéa n'a-t-il pas vicié le consentement des actionnaires historiques ?

    Dimitri-André Sonier

    Quick Reads

  • The Express quotes Gareth Mills on the CMA’s report on competition in the groceries sector

    Gareth Mills

    In the Press

  • Reuters quotes Gareth Mills on the CMA’s deadline extension of the Microsoft Activision Blizzard deal

    Gareth Mills

    In the Press

  • Les défaillances en France proches de leur niveau de 2019 - French insolvencies close to 2019 levels

    Dimitri-André Sonier

    Quick Reads

  • Law.com International quotes Simon Ridpath on the use of AI in the legal sector

    Simon Ridpath

    In the Press

  • Casino Group: An agreement with investors and debt holders is expected at the end of July

    Dimitri-André Sonier

    Quick Reads

  • Raconteur quotes Caroline Swain on misleading pricing practices

    Caroline Swain

    In the Press

  • DIAC Issues First Annual Report

    Georgia Fullarton

    Quick Reads

  • One year on: "Influencer Culture: lights, camera, inaction" remains astonishingly accurate

    Caroline Swain

    Quick Reads

  • Saudi Center for Commercial Arbitration publishes new Arbitration Rules

    Peter Smith

    Quick Reads

  • WhatsAppGate - Should businesses be reviewing their social media policies?

    Anna Rogers

    Quick Reads

  • Dubai announces its plan to streamline the enforcement of civil judgments and arbitral awards

    Peter Smith

    Quick Reads

  • Sign of the times - the British record football transfer which very nearly didn't happen

    Pei Li Kew

    Quick Reads

  • No love (island) lost for the #muffboss – #ad is great but don’t forget the other ad rules

    Caroline Swain

    Quick Reads

  • Is it really against the law to share your Netflix password?

    Quick Reads

  • Omnichannel innovation essential in the face of outlet decline

    Caroline Swain

    Quick Reads

Back to top