Online services: keeping children safe

What is the Age Appropriate Design Code?

The Age Appropriate Design Code (AADC) came into force on 2 September 2020 with a 12 month transition period. The AADC sets out several standards that organisations providing online services must follow to ensure they’re meeting their data protection obligations to protect the personal data of children that might use or access those services. It is a statutory code and therefore compliance with it is mandatory if it applies to your organisation.

The AADC applies to “information society services likely to be accessed by children”. An “information society service [ISS]” is defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”.

In layman’s terms, that means it applies to any online service that may or may not be accessed by children. It is primarily aimed at apps, games, connected toys and devices and news services, but it also applies to any online service (including adult-only services aimed at individuals over the age of 18), even if children are not the target audience. In practice, that means all organisations with an online presence should consider if the AADC applies to them.

What does it cover?

The ICO summarises the 15 standards as “technology-neutral design principles and practical privacy features”. The standards cover matters such as the best interests of those children, the appropriate use of parental controls and the deployment of nudge techniques, as well as reiterating some of the core principles of the UK GDPR, such as transparency and data minimisation. Most importantly, the standards require organisations to consider how children interact with their services from the outset and throughout, adjusting those services in a risk-based and proportionate way.

Does it only apply to UK-based organisations?

No. Like the UK GDPR, the AADC has extraterritorial effect. Therefore, its application is not limited to organisations based in the UK. If your organisation provides an ISS and in providing that service, it processes the personal data of children in the UK, the AADC will apply, and you must comply with it.

What does “likely to be accessed” mean?

On 3^rd August the ICO published new guidance to help organisations understand whether their services are “likely to be accessed” by children and therefore if they need to comply with the AADC. The additional guidance comprises a checklist, responses to frequently asked questions and some case studies.

In deciding whether children are likely to access their services, organisations should consider things like: –

• Who accesses their services? Do you have data to support your understanding?
• Will your type(s) of content, design features and activities appeal to children?
• Have you considered available external research and news reports, business intelligence and marketing data, and internal analytics to understand user behaviour of your services and whether what you offer might be appealing to children?
• Do your services include advertising and if so, is it likely to appeal to children?
• What systems, measures or processes do you have in place to prevent children accessing your services? Are they robust?
• If you think children might access your services, is the number of child users likely to be considered “significant”.
• Do you receive complaints about children accessing your services?

The checklist and factors to consider highlighted in the guidance is non-exhaustive and as with all data protection matters, need to be considered in your organisational context.

What does compliance look like?

A data protection impact assessment (DPIA) is one of the fifteen standards and will often be the first step for those organisations that are directly offering services to children, but it may also be appropriate for organisations that are not sure whether children access their services or not. A DPIA will enable an organisation to get a holistic view of their services and the processing activities involved and highlight any high-risk processing that may be involved. It should also pull together the technical and organisational measures deployed to keep personal data safe and highlight any mechanisms deployed to age-gate access to some or all your offerings.

Depending upon the outcome of your DPIA, you might consider using the ICO’s Children’s Code Self-Assessment Risk Tool next. This has been designed with medium to large organisations in mind to guide them through the process of understanding how the UK GDPR and the AADC applies in your digital services. Using this tool will probably provide your organisation with an understanding of the practical steps that it might need to take to mitigate high-risk processing and where applicable, apply the AADC in a proportionate and risk-based way.

Regardless of the outcome of the DPIA and risk assessment, organisations should always read ICO guidance, particularly if it is statutory guidance, and record the outcome of their consideration of it for accountability and audit trail purposes. Whilst it is inevitable that ICO guidance is generic, given that it regulates all organisations processing personal data, regardless of sector, it often contains practical tools that can be easily adapted for internal use, and those tools often extend to sector-specific information (e.g., the case studies in the “likely to be accessed” guidance).

Finally, any decisions made should be documented for accountability purposes and kept under review.

What might happen when you get it wrong?

Failure to comply with the AADC when it applies means that your organisation is unlikely to be able to demonstrate compliance with the UK GDPR and PECR. The ICO is required to take the AADC into consideration when deciding whether an online service is compliant and the regulatory action the ICO can take includes assessment notices, warnings, reprimands, enforcement notices and penalty notices (i.e., fines). Organisations should also bear in mind the potential reputational consequences that might arise from non-compliance.

How can DQM help you?

We have extensive experience in supporting customers with undertaking DPIAs, creating records of processing activities and achieving business objectives whilst remaining compliant with data protection regulations. Get in touch with us to discuss your plans and find out how we can guide you.