The UK's Information Commissioner's Office (ICO) has published the eagerly awaited text of the children's data code (or 'Age Appropriate Design Code' to use its official title) which it submitted for parliamentary approval last year.
This is a really significant step since the first draft of the code was heavily criticised for its surprisingly tough requirements which would have almost certainly led to a big increase in age-gating among other things.
In this article, we summarise the key points and changes in the revised Code. Following heavy lobbying and consultation, many significant amendments have been made but some very tricky issues remain and any electronic services that are likely to be accessed by a child (up to the age of 18, note - we are not talking about a cut-off of 13) are going to have a lot of work to do this year.
What's the Code all about?
Protecting children from misuse of their personal data has been prioritised by data protection regulators across Europe, but the UK is the first to issue a new comprehensive code of practice on this issue. It is important to see the Code also in the context of wider regulatory reform in relation to online harm and tougher proposals to increase the responsibilities of technology companies in protecting children and vulnerable individuals.
The Code provides detailed guidance on how providers should and shouldn't use the personal data of children pursuant to the high level obligations under the General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR). It is a common mistake that EU data laws only really become onerous for services offered to those under the age of 13 (not helped by the infamous COPPA laws in the United States, which do focus on this age for regulation there). This simply isn’t the case and the GDPR reference to 13 relates to specific requirements where entities rely on consent for lawful processing for the provision of online services. This leaves a whole raft of other processing activities and obligations under the legislation that must be read in light of the statement in Recital 38 of the GDPR that "children merit specific protection with regard to the use of their personal data".
The Code can be seen as putting the flesh on the bones of that Recital and explaining the regulator's expectations for any information society services which may be "likely to be accessed" by children – but where children means anyone under 18.