The Children’s Code (“the Code”) was formally known as the Age-Appropriate Design Code. It came into force on 2 September 2020, with a 12-month transition period, requiring all organisations to conform by 2 September 2021. As the deadline approaches, we at DPAS have provided a simple outline of what this code is, and how it may affect you.
You may have recently seen in the news that TikTok is once again in the headlines. This time it is over how they collect children’s data. It is alleged that children’s data, including phone numbers, videos, location and biometric data, is being collected without sufficient warning, transparency or consent. If the claim is successful, then the children affected could be owed thousands of pounds. Allegations such as this have the potential to set precedence, and should be watched with caution.
Does the Children’s Code apply to my organisation?
The code applies to you if you if you provide “relevant information society services which are likely to be accessed by children”, as provided by section 123 Data Protection Act 2018 (DPA 2018). Therefore, any organisation that provides services, apps, games and web and social media services where children are likely to have access will fall under scope. A few examples include Snapchat, Facebook and online retailers such as Amazon.
What are the implications of non-compliance? The ICO can undertake a compulsory audit, and/or issue orders to halt the processing. They can also issue fines of up to 4% of annual turnover.
How old is a child? The Code adopts the UN Convention on the Right of the Child (UNCRC) definition. This defines a child as anyone under the age of 18. Not to be confused with a child’s age of consent for online services, which is 13 in the UK.
There are 15 Standards in the Children’s Code:
- Best interests of the child – ensuring that children and their safety is at the heart of consideration, and a primary concern when identifying what data needs to be collected.
- Data protection impact assessments – this is a mitigation tool, used to identify risks and record the actions carried out to address those risks.
- Age-appropriate application – child ages will vary, and therefore there will be children at different stages of their development. This needs to be considered when designing the privacy settings imposed by your organisation. This could be be a blanket standard for all of those under 18, or a more tailored approach.
- Transparency – this standard is set out in article 5 of the GDPR, where data must be processed “lawfully, fairly and in a transparent manner”. Article 12 goes on to require you to provide information in a format that a child can understand.
- Detrimental use of data – in essence, do not use children’s data where it may be detrimental to their wellbeing.
- Policies and community standards – follow what you set out to do in your organisations policies, and review and update where necessary.
- Default settings – this is where the privacy settings should automatically be high with regards to the collection of children’s data. For example, not collecting any more data than absolutely necessary to carry out your service or function.
- Data minimisation – this is where you collect the minimum amount of data necessary.
- Data sharing – not to share the data unless it is in the best interests of the child.
- Geolocation – any location tracking should be turned off by default.
- Parental controls – if parental controls are in place, ensure the child is aware and understands how their data is being monitored by their parents.
- Profiling – any form of automated processing should be automatically switched off. It should only be used if it is in the best interest of the child.
- Nudge techniques – do not use nudge techniques to encourage children to provide any personal data. A nudge technique is a prompt or positive reinforcement technique used to encourage users to provide certain details, or follow a certain route.
- Connected toys and devices – ensuring any toy you provide also conforms to the code.
- Online tools – finally, providing support to children, in order to enable them to exercise their rights over data protection laws.
Children’s Data and the GDPR
What does the GDPR say about children’s data? The GDPR seeks to ensure that children are provided with the same rights as adults, and also that their personal data is collected and processed with additional safeguards. For example, it is almost mandatory to carry out a data protection impact assessment where is it likely that children’s data will be processed. If you provide a service that is likely to have children providing personal data, you should provide a privacy notice that a child can understand. One way to tackle this is to ask someone under the age of 18 to read the privacy notice, and ascertain whether they understand its content. This approach is one we have previously taken with clients.
Data Protection Impact Assessments
A data protection impact assessment can be used to highlight the potential risks around the processing activity you undertake as an organisation. It allows you to take a proportionate risk-based approach. This is the second standard set out by the ICO under the code.
It is best practice for a DPIA to be undertaken prior to any high-risk processing activity. However, do not let this stop you from carrying out a DPIA even after processing has begun. Completing a DPIA will show the ICO that you are attempting to take all necessary and reasonable steps to protect the rights of individuals. As they say, better late than never.
Moving forward, undertaking a DPIA will allow your organisation to raise potential risks at an earlier stage. Having additional time to plan and prepare will help ensure that the privacy by deign principle is embedded into the organisations, ways of working and can bring greater cost savings in the future.
Also get your DPO, or Data Privacy partner, to review and sign off your DPIA.
What does your organisation need to do now?
- A review of data processing activities through completing and updating your ROPA.
- Consider the need to undertake a DPIA.
- Reinforce the need to have tighter privacy settings
- Review the 15 standards set out in the ICO guidance.
Who does the Children’s Code not apply to?
- Public authorities where children’s data is not collected and processed on a commercial basis.
- Companies that have provided information solely about their business but offer no ability to buy online products or access services.
- General broadcasting services. However, on-demand services are within scope of the code.
- Counselling services provide to children, for example, the NSPCC website.
How does Brexit affect your position on the Children’s Code?
This code is a requirement under UK data protection laws. Therefore it continues to apply even now, post-Brexit.
The code will also applies to any organisation who targets UK users, both inside and outside the EEA. So even if your organisations headquarters are based outside the UK, you will still be required to conform.
If you would like any further advice or explanation on what has been discussed, then please do reach out to us at DPAS.
Charlotte is our Data Protection Paralegal, having studied law at Cardiff University. She has worked in public and private sectors in Cardiff and the South West, and has experience in audits and providing legal services.