The Age Appropriate Design: Code of Practice for Online Services (the “Code”) has been approved by Parliament and will come into force on the 2 September 2020. Organisations have only 12 months from 2 September to implement, potentially drastic, necessary changes to demonstrate compliance with standards of the Code.
As we have written previously, children’s access to the digital world is not only inevitable, but beneficial; the aim of the Code is therefore ‘to protect children from within the digital world as opposed to protecting them from the digital world.’ See our article here for more detail of what the Code contains.
The 15 Code Standards are designed to cumulatively interlink, furthering the goal of ensuring that children have the best possible access to online services, whilst minimising data collection and use. Sounds simple right?
Given the wide scope of the Code (it applies to all information society services likely to be accessed by children) all organisations should be on guard for whether it will apply to them and whether they need to make big changes to how they make their online services available. It will apply to existing and new services. The Information Commissioner, Elizabeth Denham, has made clear how strongly she feels about the Code stating ‘children’s privacy must not be traded in the chase for profit.’
The Code is not intended to be prescriptive, so don’t worry if you don’t entirely understand what you need to do. It is intended to allow flexibility to conforming with the scope of the General Data Protection Regulation and the Privacy and Electronic Communications Regulations when providing these services.
To pre-empt the confusion on how to implement the Code in practice, the ICO is currently developing a support package to assist companies who are required to comply with the Code. They will take on board feedback received from industry about the type of support they require during the transition period. The ICO has already issued guidance to small businesses and Media FAQs on how the Code will impact the news media, in consultation with the News Media Association.
The ICO is required under 123(1) of the Data Protection Act to produce this Code, or a version of it, and the determination they have shown to follow through on this obligation could be indicative of how seriously they will take regulating compliance. They have said that they will follow the approach in their Regulatory Action Policy which applies a proportionate and risk based approach.
Parliament and government have acted to ensure that our domestic data protection laws truly transform the way we safeguard our children when they access online services by requiring the Commissioner to produce this statutory code of practice. This code seeks to protect children within the digital world, not protect them from it.