Earlier this year the rhetoric was around not every organisation being 100% compliant with the Age Appropriate Design Code (Children’s Code) by the end of the transition period and that the approach is one of proportionality and risk. Now as we enter the new enforcement phase of the Children’s Code on 2 September 2021, the latest blog issued by the Information Commissioner’s Office (ICO) makes it clear where the Regulator sees the main risks lie, i.e. “social media platforms, video and music streaming sites and video gaming platforms”.
At this stage many organisations will have decided if they are in scope and documented the outcome – be it in or out of scope. For those in scope, the mandatory Data Protection Impact Assessment (DPIA), mapping out children’s data and age ranges and the associated user journeys is key. This DPIA will inform and detail your road map to full compliance, and help to ensure high risk areas are prioritised. The added complexities for those operating globally, and having to navigate different approaches in the different jurisdictions, will mean it is essential to understand the nuances of each country’s law and undertake a risk assessment to decide whether to go for a localised or global approach to compliance. It has been reported that Members of the US Senate and Congress called on major US tech and gaming companies to voluntarily adopt the standards in the ICO’s Children’s code in US – music to the ICO’s ears – and perhaps for those with operations on the other side of the pond.
Changes are afoot and no-one wants to be the subject of enforcement action, e.g. compulsory audits, processing bans and/or fines, let alone the reputational damage such action could do to a brand. The ICO has said it will be “proactive in requiring social media platforms, video and music streaming sites and the gaming industry to tell us how their services are designed in line with the code.” While this is softened by the acknowledgement that the ICO “will identify areas where we may need to provide support”, they also go on to say “we have powers to investigate or audit organisations” should the circumstances require such action.
There is also tacit acknowledgement of the difficulties surrounding age assurance and the ICO will be formally setting out their position on this in the Autumn. While documenting plans and implementing solutions to comply are ongoing in many organisations, those further down the road will need to keep an eye out for this announcement and understand what impact, if any, it may have on their position.
Finally, a bit of good news for those grappling with the interaction between the proposed online safety legislation, the online harms framework and the Children’s Code, the ICO is working with other regulators through the Digital Regulation Cooperation Forum which will help ensure a consistent approach to protecting children online.
“Ultimately the Children’s code will help industry innovate to ensure that the best interests of the child are a primary concern online and built into the design from the beginning. This will grow the trust between online services, children, parents and society.”