What's the Code all about?
Protecting children from misuse of their personal data has been prioritised by data protection regulators across Europe, but the UK is the first to issue a new comprehensive code of practice on this issue. It is important to see the Code also in the context of wider regulatory reform in relation to online harm and tougher proposals to increase the responsibilities of technology companies in protecting children and vulnerable individuals.
The Code provides detailed guidance on how providers should and shouldn't use the personal data of children pursuant to the high level obligations under the General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR). It is a common mistake that EU data laws only really become onerous for services offered to those under the age of 13 (not helped by the infamous COPPA laws in the United States, which do focus on this age for regulation there). This simply isn’t the case and the GDPR reference to 13 relates to specific requirements where entities rely on consent for lawful processing for the provision of online services. This leaves a whole raft of other processing activities and obligations under the legislation that must be read in light of the statement in Recital 38 of the GDPR that "children merit specific protection with regard to the use of their personal data".
The Code can be seen as putting the flesh on the bones of that Recital and explaining the regulator's expectations for any information society services which may be "likely to be accessed" by children – but where children means anyone under 18.
Who must comply?
The Code covers "information society services". Essentially, this means electronic services including search engines, websites, mobile apps, messaging services, social media platforms, on demand and other streamed or downloaded content services (but not broadcasts), educational websites and electronic games. The service must be "normally provided for remuneration", which means that non-commercial services offered by public authorities don't fall within this definition. Don't be fooled that services must be paid for to be caught though: the definition encompasses services which may be funded in other ways, such as through advertising, or otherwise seen as "economic activity" in the broader sense.
Jurisdiction-wise, bear in mind that the Code is issued pursuant to the GDPR and therefore the Code will bite on any entity that is based in the UK or has an establishment in the UK (such as an office or branch which is processing personal data). It also applies if entities are based outside the European Economic Area but offering services to UK users or monitoring UK user behaviour (for example, through tracking cookies). Since the UK will have left the European Union by the time the Code transition period ends, however, subject to any deal, this will be extended to cover entities inside the European Economic Area targeted at the UK.
What do you need to do?
The Code contains 15 standards and providers are expected to build these standards into the design of their services regarding the processing of personal data. Many of the standards are overlapping and can be quite high level such as "the best principles of the child should be a primary consideration when you design and develop online services likely to be accessed by a child".
Key actions you need to take to prepare for compliance include the following:
- Determine if your service will be "likely to be accessed by" children under 18. Your service doesn't have to be actively targeting children to be caught; it depends on whether children actually use your service and it appeals to them. The good news is that the new draft incorporates a higher test of whether the possibility of such access is "more probable than not".
- Complete/update your data protection impact assessment regarding the use of children's data. This will need to document your assessment of whether or not your service must comply with the Code (under 1 above) and, if it does, how it meets the 15 standards. There is more focus on considering whether consultation with children and parents is appropriate, with the Code saying it will "expect larger organisations to do some form of consultation in most cases."
- Establish the age of children using your service and the risks to those children depending on the age range. The first draft of the Code was criticised for suggesting that companies would either need to age-gate or apply the full Code requirements to all users. The new draft doesn't go quite this far and, in particular, is not prescriptive about how a service should establish the age of its user base. For example, the ICO suggests that self-declaration may be suitable for low risk processing but also that there are other possible methods, including AI, third party verification services, account holder confirmation, technical measures and hard identifiers.
- If children do use your service, consider whether you provide information and controls to them in a way that is age-appropriate depending on their age range. The Code sets out five different age ranges with different requirements. This may require updates to privacy notices, just-in-time notices, pop-up bite-size explanations and also a review of parental controls and information.
- Pay particular attention to any elements of your service which use personal data for features such as marketing, likes or rewards, or in-game or app-based continuous scrolls or extended play. You need to be able to ensure that these are not detrimental and appropriate safeguards are in place.
- Consider how you will ensure that features such as personalisation (not just of advertising but also of content) or use of location or other profiling could be set to a default 'off'. This will continue to be a key area of concern for many service providers which use personal data to ensure their services remain appealing to users by personalising the service of offering recommendations for content or features a user may like. We expect this provision to require a lot of design and assessment planning for companies.
When does it come into force?
The new Code includes a 12 month transition period, which had been heavily lobbied for and will be necessary given the number of design and technological changes that will be required by many services to ensure compliance. We don't know yet exactly when the transition will begin since we have to wait for Parliament to approve the Code and the 12 month clock will then commence from the day it comes into force.
What are the consequences of non-compliance?
This is a statutory code. This means the ICO would consider whether a provider has complied with the Code in deciding whether it is compliant with the GDPR (or the UK's Data Protection Act 2018) and PECR. For example, if the ICO was considering a complaint that a provider had breached data protection laws, such as not being fair in its processing of children's data, the ICO would use the Code as a guide to expected standards for compliance. Therefore, all of the applicable high potential fines and enforcement powers that exist under that legislation are relevant here, but there aren't separate fines for the Code specifically.
Client Alert 2020-028