Information Commissioner's Office
“Children are better protected online in 2022 than they were in 2021” - ICO marks anniversary of Children’s code
The ICO is marking the anniversary of the groundbreaking Children’s code, that has changed how children are treated online.
The Children’s code was fully rolled out in September 2021, requiring online services including websites, apps and games to provide better privacy protections for children, ensuring their personal data is protected within the digital world.
In the past year, the ICO’s action has prompted changes by social media platforms, gaming websites and video streaming services.
Changes include targeted and personalised ads being blocked for children, children’s accounts set to private by default, adults blocked from directly messaging children and notifications turned off at bedtime.
The code has also had an international effect, inspiring reviews of children’s privacy protections in California, Europe, Canada and Australia.
Information Commissioner John Edwards yesterday said:
“We’ve seen real changes since the Children’s code came into force a year ago. These changes come as a result of the ICO’s action enforcing the code, making clear to industry the changes that are required.
“The result is that children are better protected online in 2022 than they were in 2021.
“This code makes clear that children are not like adults online, and their data needs greater protections. We want children to be online, learning, playing and experiencing the world, but with the right protections in place to do so.
“There’s more for us to achieve. We are currently looking into a number of different online services and their conformance with the code as well as ongoing investigations. And we’ll use our enforcement powers where they are required.”
Positive changes seen over the past year
The code has been instrumental in behaviour change of big tech platforms and smaller online services. Some changes we have observed over the past year include:
- Facebook and Instagram has limited targeting to age, gender, and location for under-18s. Both Facebook and Instagram ask for people’s date of birth at sign up, preventing them from signing up if they repeatedly entered different dates, and disabling accounts where people can’t prove they’re over 13. Instagram also launched parental supervision tools, along with new features like Take A Break to help teens manage their time on the app.
- YouTube has turned off autoplay by default and turned on take a break and bedtime reminders by default for Google Accounts for under 18s.
- Google has enabled anyone under 18 (or their parent/guardian) to request to remove their images from Google image search results, location history cannot be enabled by Google accounts of under 18s and they have expanded safeguards to prohibit age-sensitive ad categories from being shown to these users.
- Nintendo only allows users above 16 years-of-age to create their own account and set their own preferences.
The code applies to any service being used by children living in the UK, and we have seen changes by companies around the world. We have also seen other countries strengthening the protections they provide for children, inspired by our work. These include the recently proposed California Age Appropriate Design Code Bill, which uses the ICO’s Children’s code as a template, while Unicef are looking at how protections can be brought in globally.
Organisations providing online services and products likely to be accessed by children must abide by the code or face tough sanctions. The ICO are currently looking into how over 50 different online services are conforming with the code, with four ongoing investigations. We have also audited nine organisations and are currently assessing their outcomes.
We will continue to evolve our approach, listening to others to ensure the code is having the maximum impact.
For example, we have seen an increasing amount of research (from the NSPCC, 5Rights, Microsoft and British Board of Film Classification), that children are likely to be accessing adult-only services and that these pose data protection harms, with children losing control of their data or being manipulated to give more data, in addition to content harms. We have therefore revised our position to clarify that adult-only services are in scope of the Children’s code if they are likely to be accessed by children.
As well as engaging with adult-only services directly to ensure they conform with the code, we will also be working closely with Ofcom and the Department for Digital, Culture, Media and Sport (DCMS) to establish how the code works in practice in relation to adult-only services and what they should expect. This work is continuing to drive the improvements necessary to provide a better internet for children.
Notes to Editors
- For further information on the Children’s code, please visit our website: https://ico.org.uk/childrenscode
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the UK General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
- The Government included provisions in the Data Protection Act 2018 to create world-leading standards that provide proper safeguards for children when they are online.
- As part of that, the ICO is required to produce an age-appropriate design code of practice to give guidance to organisations about the privacy standards they should adopt when offering online services and apps that children are likely to access and which will process their personal data. (A link to the Parliamentary debate, led by Baroness Kidron, is here.)
- The first draft of the code went out to consultation in April 2019. It was informed by initial views and evidence gathered from designers, app developers, academics and civil society. You can read the responses here.
- The ICO also sought views from parents and children by working with research company Revealing Reality. The findings from that work are here.
- To report a concern to the ICO, go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
Information Commissioner’s Office tells platforms to respect information rights when moderating online content16/02/2024 12:25:00
The Information Commissioner’s Office (ICO) is working to support people's information rights online by ensuring organisations understand their data protection obligations when seeking to make their platforms safer.
Practical tips for small beauty and wellbeing businesses this Valentine’s Day14/02/2024 13:15:00
Show your customers you care – about their information rights – this Valentine’s Day.
ICO approves legal services certification scheme14/02/2024 10:20:00
The Information Commissioner’s Office (ICO) has approved a certification scheme aimed at legal service providers who process personal data.
ICO responds to Home Office’s draft regulations to the immigration exemption13/02/2024 10:25:00
The Information Commissioner's Office has welcomed proposed government changes to provide clearer safeguards around how people in a potentially vulnerable position within the immigration system are able to access the information held about them.
ICO urges all app developers to prioritise privacy09/02/2024 10:15:00
The Information Commissioner’s Office (ICO) is reminding all app developers to ensure they protect users’ privacy, following the regulator’s review of period and fertility apps.
ICO warns organisations to proactively make advertising cookies compliant after positive response to November call to action31/01/2024 15:20:00
Last November we wrote to 53 of the UK’s top 100 websites, warning that they faced enforcement action if they did not make changes to advertising cookies to comply with data protection law.
New ICO campaign promotes sharing data to safeguard children30/01/2024 09:10:00
The Information Commissioner’s Office is partnering with education, law enforcement and social service organisations to raise awareness about responsible data sharing to protect children from harm.
South Tees Hospitals NHS Foundation Trust reprimanded for “serious, harmful” data breach25/01/2024 16:20:00
The Information Commissioner’s Office (ICO) has today announced it has reprimanded South Tees Hospitals NHS Foundation Trust for a data breach which resulted in a disclosure containing sensitive information to a unauthorised family member.
ICO fines financial services company £50k for spam text messages19/01/2024 14:10:00
Financial services company LADH Limited has been fined £50,000 by the Information Commissioner’s Office (ICO) for sending tens of thousands of spam text messages, in breach of Privacy and Electronic Communications Regulations (PECR).