ICO publishes children's code

The Information Commissioner’s Office has today published its final Age Appropriate Design Code – a set of 15 standards that online services should meet to protect children’s privacy.

The code is not a law but is required by the Data Protection Act 2018, and sets out the standards expected of those responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services. Importantly, the scope is extremely wide as it also covers services likely to be accessed by children and which process their data.

First of its kind, the code will influence other stakeholders and ‘reflects the global direction of travel with similar reform being considered in the USA, Europe and globally by the Organisation for Economic Co-operation and Development (OECD)’ the ICO says.

The code requires digital services companies to take action, for example, to:

  • automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website
  • ensure privacy settings are set to high by default
  • ensure users are not encouraged to weaken settings
  • switch location settings off by default
  • minimise data collection
  • switch profiling off by default.

Elizabeth Denham, Information Commissioner, said:
“One in five internet users in the UK is a child, but they are using an internet that was not designed for them…In a generation from now, we will look back and find it astonishing that online services weren’t always designed with children in mind.”

The code will now be laid before Parliament. It is expected that the code will take effect by autumn 2021. The ICO has a statutory duty to take the provisions of this code into account when enforcing the GDPR and PECR.

See Age Appropriate Design Code of Practice.