ICO Publishes the Final Version of the Age Appropriate Design Code

On January 21, the UK’s Information Commissioner’s Office (ICO) published the final version of its Age Appropriate Design Code (the Code). The Code, which was first released for comment in April 2019, is comprised of 15 Standards that will impact the way in which companies assess the age of and risks to their users; the types of personal data they collect; how that data is used and shared; how they present privacy disclosures, tools, and choices to their users; and the overall design of their products and services. The overarching principle of the Code is that online products and services “likely to be accessed by children” under 18 years old must be designed with the best interests of those children in mind.

The Standards set forth in the final version of the Code are largely unchanged from the initial draft in April. However, after a long consultation period, the final version of the Code does reflect some important compromises by the ICO.

First, while the ICO makes clear that compliance with the Standards will be required, it has clarified that the additional 100+ pages of guidance in the Code is just that, guidance. Companies will have some flexibility to come up with their own methods to comply with the Standards. That said, companies would be shortsighted not to give proper weight to the ICO’s guidance.

Second, the initial draft of the Code essentially placed the burden on companies to prove their online products and services were not likely to be accessed by children. In the final version, the ICO clarifies that the analysis will likely depend on:

• the nature and content of the service and whether [it] has particular appeal for children; and
• the way in which the service is accessed and any measures [the company] put[s] in place to prevent children gaining access.

These factors allow companies far more flexibility than the presumptive approach taken in the initial draft, which will hopefully reduce the amount of unnecessary data collection done solely to confirm a user’s age.

Third, and related, the final version of the Code takes a risk-based, proportionate approach to age verification. Whether and how a company verifies a user’s age will depend on (i) the age range(s) of the users; (ii) the level of certainty the company has about the age range(s); and (iii) the risks the online products and services pose to those users. Under certain low-risk circumstances, for example, a traditional age gate, where a user’s self-declared age is accepted without verification, might be appropriate. In contrast, the initial draft of the Code seemingly banned traditional age gates, which would have required companies to employ more intrusive verification methods.

The Code still has some final hurdles to overcome, including approval by Parliament, and will begin with a 12-month transition period. Companies, however, will likely need all that time, and possibly more!

• • •

Have more questions about the Age Appropriate Design Code? Feel free to reach out to us through our Contact page to learn more about our program. Be sure to follow us on Twitter and LinkedIn for more privacy-related updates.