The Information Commissioner’s Office (ICO) has today (22 January 2020) published its Age Appropriate Design Code, or the so-called ‘Kids Code’, aimed at protecting children’s privacy online.
The final version is the result of a detailed consultation through which the ICO engaged with key stakeholders, including trade bodies, industry representatives and privacy campaigners.
What does the Code do?
The Code applies to online services that process children’s personal data and that are likely to be accessed by children – for example, social media platforms, educational websites, and streaming services.
It sets out 15 standards that online service providers should meet – such standards include:
- settings that allow a child’s location to be shared or for their personal data to be used for behavioural advertising should be switched off by default;
- other privacy settings need to be set to ‘high’;
- ‘nudge’ behaviour encouraging children to reduce their privacy settings should not be deployed;
- children’s best interests should be taken into account; and
- personal data collection from children should be kept to a minimum. The Code also sets out detailed guidance on the approach which should be taken to users of different ages in relation to the various standards.
Why has the Code been published?
The ICO was required by the Data Protection Act 2018 to produce the Code.
Elizabeth Denham, Information Commissioner, explained the rationale for the Code as follows:
“Personal data often drives the content that our children are exposed to – what they like, what they search for, when they log on and off and even how they are feeling.
“In an age when children learn how to use an iPad before they ride a bike, it is right that organisations designing and developing online services do so with the best interests of children in mind. Children’s privacy must not be traded in the chase for profit.”
What happens now?
There will now be a Parliamentary approval process which is expected to conclude in Autumn 2020. Organisations will then have 12 months to implement the necessary changes from the date that the Code takes effect.
As and when the Code is in effect, any non-compliant online services which are likely to be accessed by children should expect enforcement activities by the ICO under the Data Protection Act 2018 or the Privacy and Electronic Communications Regs.
If you would like advice on any aspects of the Code, you can contact our Data Protection team.