On 12 August the Information Commissioner’s Office (ICO) issued the long awaited Age appropriate design code of practice for online services, which seeks to enhance the safety of the online environment for children. The code, which has now been approved by Parliament, will come into force on 2 September 2020, with a 12 month transitional period.

The ICO applied the longest transition period available under the Data Protection Act 2018 to the code, likely in recognition that many organisations will need to undertake a significant review of their online services to achieve compliance.

As noted previously on the Lens, the code is part of an overall drive by the UK Government (spearheading a trend across the EU more widely) to enhance internet safety. The Government’s April 2019 Online Harms White Paper (and now delayed implementing legislation) is also a key element of this drive.

The code’s 15 standards apply to the vast majority of online services (including websites and apps) and connected toys which are likely to be accessed by children. The code seeks to place the child’s best interests at the core of product design, minimise the collection of children’s data and ensure that children are not encouraged to weaken their privacy protections.  

The ICO consulted extensively on the draft code published in January of this year, and received significant pushback from organisations who found the code’s requirements to be unduly burdensome and disproportionate. The ICO incorporated a number amendments into the Code to address such criticisms.

Notably, the ICO removed the standard regarding governance and accountability, reducing the original 16 standards to 15. The ICO also replaced the age verification requirement (under the third standard) with a requirement that organisations apply a risk-based and proportionate approach to identifying the age of users. More specifically, the third standard now requires organisations to ‘establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.’ This change has been seen by critics, including MPs in the House of Commons debates on the code, to be a ‘watering down’ of the original requirement to verify the age of users.

The code is the first of four statutory codes that the ICO is required to publish under the Data Protection Act 2018 (the others being the data-sharing code, the direct marketing code and the data protection and journalism code). The ICO will review the code one year after its coming into force.

Organisations need to assess sooner rather than later what steps they need to take to bring the services they offer into compliance with the code, as the 12 month transition period will fly by.