Is your online service age-appropriate?

From 1 September 2021, all online businesses in the UK that are likely to be accessed by children must comply with the Age Appropriate Design Code (Code). Although the Code on the Information Commissioner’s Office (ICO) is not law, developers and publishers must be aware of their obligations to reform their policies to comply with existing data protection laws in the UK GDPR and Data Protection Act 2018.

In this blog we cover what the Code is, who it applies to, what businesses should do to prepare and the penalties for breaching the Code.

What is the Code?

The Code is being introduced in response to increasing demands to safeguard children’s privacy online. The Code sets 15 flexible standards to protect children when they are exploring, learning and playing online. These high privacy standards protect children by ensuring that the best interests of the child are at the forefront when designing and developing services online. 

Who does the Code apply to?

If you’re an online business or Information Society Service (ISS) provider that processes personal data and is likely to be accessed by children (under the age of 18)  in the UK, then the Code applies to you. 

An ISS is any service normally provided for remuneration at a distance (ie the customer and provider are not simultaneously present at any stage) by electronic means. In practice, services can include; apps, programs, websites, social media platforms, content streaming services, educational websites, games or community environments, and connected toys or devices with or without a screen.  It is aimed at 

What are some of the 15 standards of the Code? 

The 15 standards in the Code explain how it conforms with GDPR but specifically relates to children. 

Some of the standards include:

  • best interest of the child – this is the primary and most important standard that coders, UX designers and system engineers should consider designing and developing online services
  • data protection and impact assessment – you should undertake a DPIA to assess and mitigate the rights and freedoms of children likely to access your service. 
  • data sharing – do not disclose a child’s data unless you can demonstrate that there is a necessity to do so whilst taking into account the child’s best interest
  • nudge techniques – you should not use nudge techniques that encourage children to provide you with unnecessary personal data 
  • default settings – by default, settings must be ‘high privacy’ unless you can provide a compelling reason for a different default setting
  • geolocation – unless there is a justifiable reason, by default, switch off geolocation services 
  • policies and community standards – you need to actively adhere to your own published terms and conditions and policies, whilst only using children’s personal data in accordance with your privacy policy

For a full list of set standards, read the Code on the ICO website.

What should I do?

All businesses should assume that they are caught by the Code and consider whether their service is likely to be accessed by children. Prior to the implementation of the Code, businesses should have taken steps to:

  • review the services and determine the age of the users to the services to establish if it contains risks to children. Features that could or likely to create a risk to children include in-game advertising, chat rooms and adult content 
  • remove or limit the risks such as turning off by default advertising 
  • renew your Data Privacy Impact Assessment for new and existing services and demonstrate how you fulfil the requirements of the Code. 
  • describe what processing of personal data you plan to do and address plans for parental controls or nudge techniques in your privacy policy and terms and conditions

The ICO has published a designated hub for the Code that you can read about here.  You can also Ask a Lawyer if you need to discuss your terms and conditions and policies. 

What are the penalties for not conforming to the standards of the Code?

If you process a child’s personal data and are found to be in breach of GDPR or PECR (Privacy and Electronic Communications Regulations), the ICO can take action against you. For serious breaches, this can include fines up to £17.5 million or 4% of annual turnover.