The ICO’s Age Appropriate Design Code: What is it?
This is the first blog entry in what will be a series that address the ICO’s Age Appropriate Design Code. Subsequent blog entries will discuss the standards set forth in the Code. The Code is open for public consultation until May 31, 2019, after which the ICO is expected to prepare a final version for submission to Parliament. We will provide an update on any subsequent drafts of the Code and the final version proposed to Parliament.
On April 12, 2019, the UK’s Information Commissioner’s Office (ICO) published a consultation draft of its long-awaited Age Appropriate Design: A Code of Practice for Online Services (Code). The Code—which follows a lengthy process in which the ICO called for evidence and views from parents, stakeholders, experts, etc.—was prepared pursuant to the ICO’s obligations under Section 123 of the UK Data Protection Act 2018 (DPA 2018), which requires the Information Commissioner to “prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children.”
In its current draft form, the Code consists of 16 “standards” that provide practical guidance for developing online services suitable for children. Providers of those services, however, should not interpret the term “guidance” to mean the standards are mere suggestions. The ICO makes clear that if all 16 standards are not complied with, providers would be “likely to find it difficult to demonstrate that your processing is fair and complies with the GDPR and PECR.” The ICO further warns that it could act against providers who process children’s personal data in violation of the Code.
The question, therefore, is to whom the Code would apply? First, from a jurisdictional standpoint, the Code has the same reach as the DPA 2018, meaning it would apply to providers:
- Based in the UK;
- That have a branch, office or other “establishment” in the UK, and that process personal data in the context of the activities of that establishment; or
- That are neither based in nor have an establishment in the UK, but offer services to users in the UK or monitor the behavior of users in the UK.
Second, the Code would apply to providers of online services (e.g., websites, apps, games, connected products, etc.) that children under 18 years old “are likely to use.” This standard differs from the “directed to children” standard under the U.S. Children’s Online Privacy Protection Act (COPPA) in two significant ways. One, the Code would apply far more broadly, covering any online service with an element or feature that is likely to appeal to and be accessed by a child. And, two, under the Code, “children” includes all users under 18 years old; whereas COPPA’s protections are limited to users under 13 years old. As a practical matter, this means the Code would impact far more online services than those covered by COPPA.
Indeed, unless proven otherwise, the presumption would be that the Code would apply. If a provider believes only adults are likely to use its online service, the burden would be on the provider to “point to specific documented evidence to demonstrate that children are not likely to access the service in practice.” Evidence may include, for example, market research or specific measures taken to limit access by children. This burden is further heightened by the ICO’s guidance on age screening mechanisms, which it states must be “robust and effective.” The provider would be required to demonstrate that children cannot easily circumvent the mechanism put in place. In other words, most age “gates” currently used by online service providers would not suffice.
For an effective age screening mechanism, we recommend providers consider Veratad Solutions, which provides a range of identity and age verification solutions. Members of the Privacy Certified program benefit from our exclusive partnership with Veratad, which includes discounted rates.