Age Appropriate Design

Age Appropriate Design: 2021 update

December 3rd, 2019 Posted in Compliance, Data Protection

2021 update

Read our most up-to-date Children’s Design Code blog here.

3rd December 2019

Although protecting children is mentioned various times under the GDPR, it has been left to individual EU Member States to develop their own codes of conduct in relation to protecting childrens privacy onlineThe ICO will publish its Code of Conduct, ‘Age Appropriate Design: A code of practice for online services’ under the DPA 2018, on the 23rd November 2019. The information in this blog is based on the consultation document, (the consultation is now closed), so there may be changes which we won’t know about until it’s releasedhowever, theres no harm in getting to grips with the key themes and we can update you with any changes once the code is published.  

The code is designed for Providers of Information Society Services (ISS), who will have a year’s grace to implement it.  Just over a year on from the implementation of the Data Protection Act 2018, we’ve started to see some regulatory action announced by the ICO and recent actions under the old law has focused on processing ‘fairness’. The code isn’t without its critics, but in any event, it’s clear that providers of Information Society Services have plenty to think about. 

Which companies must comply?

As mentioned above, the code for Age Appropriate Design applies to providers of information society services. If you provide online products or services such as apps, programs, websites, games or community environments, and connected toys or devices (with or without a screen) that process personal data and are likely to be accessed by children in the UK, then this means you 

Under GDPR, EU Member States can decide what age constitutes a child with the minimum being aged 13. Under the UK’s proposed code, a child is someone under the age of 18. 

The code is not restricted to services provided specifically for children. Because children are wily and curious creatures and may well be using a service not necessarily designed for them, aan ISS provider, you must decide whether your service is likely to be attractive to children even if its not intended for them. If it is, you should adhere to the code.  

If you don’t believe your service is accessed by children, I’m afraid its not as simple ajust stating that. If yotake this stance, you have to provide proof to back up your claim which requires a bit of legwork. Proof could be obtained in the form of market research or customer behaviour analysis.    

When does the Age Appropriate Design code apply?

The code applies to all ISS’s based in the UK and those based outside the UK that have a branch or ‘establishment’in the UK. If you do not have an ‘establishment’ in the UK and the ICO is not your regulatory body, then this code of conduct does not apply. However, in this situation, it may still apply if you are offering services to/or monitoring the behaviour of UK users who are likely to be children.  

It does not apply to websites or apps which provide online counselling or other preventive services (such as health screenings or check-ups) to children. Online services provided by a police force or other competent authority for law enforcement purposes are also exempt.  

(Please note that for General health, fitness or well-being apps or services, the code does apply.) 

What is in the proposed code?

The proposed code consists of sixteen standards which are noted below.  Full guidance on these can be found here, they include very reasonable requirements such as setting defaults to ‘high privacy’, having geolocation services turned off by default and not using nudge techniques which are designed to encourage longer usage or weaken privacy settings.  

  1. Best interests of the child 
  2. Age-appropriate application
  3. Transparency 
  4. Detrimental use of data
  5. Policies and community standards
  6. Default settings 
  7. Data minimisation 
  8. Data sharing – the data sharing new code of practice is outlined here.
  9. Geolocation
  10. Parental controls – read our top ten tips for online safety here.
  11. Profiling
  12. Nudge techniques
  13. Connected toys and devices
  14. Online tools
  15. Data protection impact assessments: Undertake a DPIA specifically to assess and mitigate risks to children who are likely to access your service, taking into account differing ages, capacities and development needs. Ensure that your DPIA builds in compliance with this code. 
  16. Governance and accountability: Ensure you have policies and procedures in place which demonstrate how you comply with data protection obligations, including data protection training for all staff involved in the design and development of online services likely to be accessed by children. Ensure that your policies, procedures and terms of service demonstrate compliance with the provisions of this code. 

Where to start with Age Appropriate Design?

You’ll see I’ve included the full description for standards 15 and 16 above. Whilst the code in its entirety is yet to be confirmed, your time would not be wasted if you started with creating your Data Protection Impact Assessment and setting out your policies and procedures as part of the Governance and accountability standard. This will form the backbone of all the other sections that you will need to adhere to anyway 

Under the GDPR, the collection and processing of personal data of children, where it is intended for marketing purposes, profiling or other automated decision-making, or for offering online services directly to children,is classed as ‘High risk’. As such it is a legal obligation to carry out a DPIA. This is a process you undertake when starting or making changes to a project or process involving personal data that could present a high risk to data subjects. It involves the assessment of the risks and identification of measures to reduce these risks. 

Carrying out a DPIA also helps demonstrate compliance with Article 25 of GDPR which requires data protection by design and default. This process ensures data protection compliance and risk management are incorporated from the planning onwards and not backward engineered into a new product, service or activity.   

Crafting your policies and procedures will set the tone for your staff and enable you to train everyone involved with the provision of your service. 

Need help?

We’ll have to wait for the release of the code this November for firm details, however, if you are an ISS, if you’re are preparing yourself for this code and need help determining whether you are required to comply or if you need help with a DPIA or crafting policies and procedures, we can help. Contact us for a friendly chat.  


Evalian Icon PNG

Written by Evalian®