The UK’s Age Appropriate Design Code: 5 Steps to Get You Started
On September 2, 2020, the United Kingdom’s Age Appropriate Design Code (Code) went into effect. There is, however, a 12-month transition period to allow companies to bring their online services—including websites, mobile apps and connected toys and devices—into compliance. While 12 months might seem like a lot of time, it is not. There is much work to be done. To get started, we recommend taking 5 steps.
1. Begin Conducting a Data Protection Impact Assessment.
The Code applies to all online services that children under 18 years old are likely to access—in other words, most online services. And if the Code applies, then a Data Protection Impact Assessment (DPIA) is required. If you have not done a DPIA, this is the time. If you have done one, update it with the Code in mind.
Not sure if the Age Appropriate Design Code applies to your online service? Read more here.
The DPIA should be your road map to compliance with the Code. It should identify risks your online service poses to children, and then ways in which you plan to mitigate those risks. It should memorialize the varying and sometimes competing rights and interests of children of different age groups, and how you have balanced those rights and interests. Ultimately, the best interests of the children must be your primary consideration, even trumping your own commercial interests. Familiarize yourself with the UN Convention on the Rights of the Child and the General Comment on Children’s Rights in Relation to the Digital Environment.
The DPIA will take time to complete. While it should be started early, it will be a living document that is updated as new risks are identified and new solutions implemented.
It should be a multi-departmental effort, pulling from the design and development, marketing, data security, and legal teams, at a minimum. However, your Data Protection Officer should head the project.
Keep in mind that if the UK’s Information Commissioner’s Office (ICO) conducts an audit of your online service or investigates a complaint, its first ask will likely include a copy of your DPIA. If you have never done one and you are not sure where to get started, the ICO provides a helpful template on its Children’s Code Hub.
2.Take Steps to Know Your Users.
To conduct a proper DPIA, you will need to determine the level of confidence you have in the age ranges of your users. Specifically, what children are using or are likely to use your online service?
If you do not plan to apply the Code to your online service because you do not believe children under 18 years old are likely to access it, you must be prepared to defend that decision to the ICO. The ICO will expect evidence to support your decision. Do you have empirical data of your users’ ages? Have you conducted a user survey or done consumer research? If not, you may have work to do to satisfy the ICO.
Ultimately, the greater your uncertainty, the greater the risk and, therefore, the greater the need to mitigate. This might include eliminating elements of your online service especially risky to children or taking steps to limit children’s access. Please keep in mind, however, that the ICO does not want to see an age-gated Internet. In fact, according to the ICO, the use of age gates—i.e., where a user declares his or her age—is only appropriate in low-risk situations or where additional safeguards are in place.
3. Plan for “High Privacy” by Default.
The ICO seems to want “high privacy” to be the default setting for all users, but it is only required for users under 18 years old. High privacy by default means:
• Only collecting personal data needed to provide your “core” service;
• Allowing children to opt into optional elements of your service that require the additional collection and use of personal data, and minimizing the personal data you collect for those additional elements; and
• Turning off “detrimental uses,” like profiling, data sharing, and geolocation tracking, by default and only allowing them to be turned on when there is a compelling need and adequate protections in place.
The following is an example the ICO provides for a music download service, which helps to illustrate this point:
4. Begin Developing Online Tools.
Children must be given tools within your online service to make choices and exercise rights. This should include, for example, the ability to opt into and opt out of optional elements of your service, request the deletion of their personal data, and obtain access to their personal data. These tools must be highlighted to the child during the start-up process, prominently placed on the screen, and age appropriate.
5. Work on Age Appropriate Privacy Notices.
• • •
If you have more questions about the Age Appropriate Design Code or you want to learn more about our Program, please reach out to us through our Contact page to learn more about our program. Be sure to follow us on Twitter and LinkedIn for more privacy-related updates.