The UK’s Age Appropriate Design Code: 5 Steps to Get You Started

Written by John Falzone, VP Privacy Certified
October 14, 2020

On September 2, 2020, the United Kingdom’s Age Appropriate Design Code (Code) went into effect. There is, however, a 12-month transition period to allow companies to bring their online services—including websites, mobile apps and connected toys and devices—into compliance. While 12 months might seem like a lot of time, it is not. There is much work to be done. To get started, we recommend taking 5 steps.

1. Begin Conducting a Data Protection Impact Assessment.
The Code applies to all online services that children under 18 years old are likely to access—in other words, most online services. And if the Code applies, then a Data Protection Impact Assessment (DPIA) is required. If you have not done a DPIA, this is the time. If you have done one, update it with the Code in mind.

Not sure if the Age Appropriate Design Code applies to your online service? Read more here.

The DPIA should be your road map to compliance with the Code. It should identify risks your online service poses to children, and then ways in which you plan to mitigate those risks. It should memorialize the varying and sometimes competing rights and interests of children of different age groups, and how you have balanced those rights and interests. Ultimately, the best interests of the children must be your primary consideration, even trumping your own commercial interests. Familiarize yourself with the UN Convention on the Rights of the Child and the General Comment on Children’s Rights in Relation to the Digital Environment.

The DPIA will take time to complete. While it should be started early, it will be a living document that is updated as new risks are identified and new solutions implemented.

It should be a multi-departmental effort, pulling from the design and development, marketing, data security, and legal teams, at a minimum. However, your Data Protection Officer should head the project.

Keep in mind that if the UK’s Information Commissioner’s Office (ICO) conducts an audit of your online service or investigates a complaint, its first ask will likely include a copy of your DPIA. If you have never done one and you are not sure where to get started, the ICO provides a helpful template on its Children’s Code Hub.

2.Take Steps to Know Your Users.
To conduct a proper DPIA, you will need to determine the level of confidence you have in the age ranges of your users. Specifically, what children are using or are likely to use your online service?

If you do not plan to apply the Code to your online service because you do not believe children under 18 years old are likely to access it, you must be prepared to defend that decision to the ICO. The ICO will expect evidence to support your decision. Do you have empirical data of your users’ ages? Have you conducted a user survey or done consumer research? If not, you may have work to do to satisfy the ICO.

Ultimately, the greater your uncertainty, the greater the risk and, therefore, the greater the need to mitigate. This might include eliminating elements of your online service especially risky to children or taking steps to limit children’s access. Please keep in mind, however, that the ICO does not want to see an age-gated Internet. In fact, according to the ICO, the use of age gates—i.e., where a user declares his or her age—is only appropriate in low-risk situations or where additional safeguards are in place.

3. Plan for “High Privacy” by Default.
The ICO seems to want “high privacy” to be the default setting for all users, but it is only required for users under 18 years old. High privacy by default means:
• Only collecting personal data needed to provide your “core” service;
• Allowing children to opt into optional elements of your service that require the additional collection and use of personal data, and minimizing the personal data you collect for those additional elements; and
• Turning off “detrimental uses,” like profiling, data sharing, and geolocation tracking, by default and only allowing them to be turned on when there is a compelling need and adequate protections in place.
The following is an example the ICO provides for a music download service, which helps to illustrate this point:

4. Begin Developing Online Tools.
Children must be given tools within your online service to make choices and exercise rights. This should include, for example, the ability to opt into and opt out of optional elements of your service, request the deletion of their personal data, and obtain access to their personal data. These tools must be highlighted to the child during the start-up process, prominently placed on the screen, and age appropriate.

5. Work on Age Appropriate Privacy Notices.
In addition to your standard privacy policy intended for adults, the Code requires privacy disclosures that are understandable and accessible to your child users. If your online service is accessed by or likely to be accessed by children in different age groups, appropriate disclosures will need to be tailored to each of those age groups. For children 6 to 9 years old, for example, the ICO expects you to explain the basic concepts of your online service’s privacy practices and online tools. You are encouraged to use cartoons, and video and audio materials to make the disclosures child friendly. Older teens, in contrast, should be given more detail and more choices.
Moreover, you are expected to do more than just post a privacy policy. If, for example, a child attempts to opt into a lower privacy setting, you are expected to display an age appropriate notice. Children should be encouraged to get or speak with a parent or trusted adult. They should be told what personal data will be collected if the default setting is changed and how that information will be used. If the personal data will be shared with a third party, the child should be given a separate opt-in choice for the sharing or, at a minimum, a clear and age appropriate notice that the data will be shared. Any risks should be highlighted, and children should be encouraged to keep the default setting if they are unsure or do not understand. The following is a sample notice provided by the ICO:

If you have more questions about the Age Appropriate Design Code or you want to learn more about our Program, please reach out to us through our Contact page to learn more about our program. Be sure to follow us on Twitter and LinkedIn for more privacy-related updates.