Information Commissioner's Office
ICO’s Children’s Code will help protect children online
A statutory code requiring organisations to provide better online privacy protections for children comes into force today, triggering the start of a 12 month transition period.
The Age Appropriate Design Code or Children’s Code applies to organisations providing online services and products likely to be accessed by children up to age 18, and gives organisations a year to make the necessary changes to put children’s privacy at the heart of their design.
The code sets out 15 standards for designers of online services and products and how they should comply with data protection law. The code will require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website.
The code breaks new ground as regulatory guidance focused on a ‘by design approach’ and is a huge step towards protecting children online, especially given the increased reliance on online services at home during COVID-19.
All the major social media and online services used by children in the UK will need to conform to the code.
Elizabeth Denham, Information Commissioner said:
“A generation from now we will all be astonished that there was ever a time when there wasn’t specific regulation to protect kids online. It will be as normal as putting on a seatbelt.
“This code makes clear that kids are not like adults online, and their data needs greater protections. We want children to be online, learning and playing and experiencing the world, but with the right protections in place.
“We do understand that companies, particularly small businesses, will need support to comply with the code and that’s why we have taken the decision to give businesses a year to prepare, and why we’re offering help and support.”
The regulator is calling on organisations to get in touch to highlight the extra help they may need to understand the new code. Based on their feedback, the ICO is spending the next year developing a tailored package of support to help organisations adapt their online products and services before 2 September 2021.
The code is risk based, which means it does not apply to all organisations in the same way. Those responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services that use, analyse and profile children’s data, are likely to have to do more to conform to the code.
The ICO’s new web hub is a starting point for all those responsible to get the necessary help and support. A series of webinars, held throughout September, will support members of trade associations in the gaming, video streaming, social media and connected toys sectors.
The ICO is also interested in hearing from innovators concentrating on cutting edge personal data projects dealing with the issues posed by the implementation of the Children’s Code. It is inviting organisations to apply for places in its free regulatory Sandbox. The Sandbox is designed to support organisations using personal data to develop innovative products and services and accepts applications from all types of organisations from start-ups, SMEs and large organisations, across private, public and voluntary sectors.
More resources are being added to the ICO’s website over the coming weeks including a toolkit for organisations to help assess whether they need to comply and details of workshops on assessing risk.
The launch of the Age Appropriate Design Code comes during the ICO’s tech month, which highlights how the ICO is working to improve data protection practices in the digital economy. Follow the details on Twitter #icotechmonth.
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
- The Government included provisions in the Data Protection Act 2018 to create world-leading standards that provide proper safeguards for children when they are online.
- As part of that, the ICO is required to produce an age-appropriate design code of practice to give guidance to organisations about the privacy standards they should adopt when offering online services and apps that children are likely to access and which will process their personal data. (A link to the Parliamentary debate, led by Baroness Kidron, is here.)
- The 15 standards in the Code are backed by existing data protection laws which are legally enforceable and regulated by the ICO.
- The first draft of the code went out to consultation in April 2019. It was informed by initial views and evidence gathered from designers, app developers, academics and civil society. You can read the responses here.
- The ICO also sought views from parents and children by working with research company Revealing Reality. The findings from that work are here.
- Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
- The GDPR and the DPA2018 gave the ICO new strengthened powers.
- The data protection principles in the GDPR evolved from the original DPA, and set out the main responsibilities for organisations.
- To report a concern to the ICO, go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
Blog: Simplifying subject access requests – new detailed SARs guidance22/10/2020 12:25:00
The right of access is a fundamental right under data protection law. And it has never been more necessary. In a world where personal data is used almost everywhere – by everyone – it’s vital that people have the right to be able to find out what’s happening to their information.
ICO fines British Airways £20m for data breach affecting more than 400,000 customers19/10/2020 12:25:00
The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.
Blog: Engagement key in protecting people’s privacy across the UK during the pandemic14/10/2020 12:25:00
Information Commissioner Elizabeth Denham highlights the positive results of the ICO’s engagement with the UK devolved administrations on the use of data in the fight against COVID-19.
ICO takes action against company for sending spam emails selling face masks during pandemic09/10/2020 12:25:00
A company that sent spam emails selling face masks during the pandemic has been fined £40,000 by the ICO and issued with an enforcement notice.
Statement on the outcome of the ICO’s compulsory audit of the Department for Education08/10/2020 09:10:00
The Information Commissioner’s Office (ICO) has published the outcome of a compulsory audit of the Department for Education DFE carried out in February 2020.
Blog: Elizabeth Denham on the conclusion of the ICO’s investigation into the use of personal data in political campaigning07/10/2020 09:10:00
There can be few cases that better illustrate how mainstream data protection has become than the ICO’s investigation into the use of personal data in political campaigning, including by the now defunct Cambridge Analytica.
ICO launches consultation on draft Statutory guidance02/10/2020 12:25:00
The Information Commissioner's Office (ICO) has launched a public consultation on its draft Statutory guidance, which details how it will regulate and enforce data protection legislation in the UK.
ICO fines company flouting the law in order to profiteer from the coronavirus pandemic25/09/2020 12:25:00
The Information Commissioner’s Office (ICO) has fined Digital Growth Experts Limited (DGEL) £60,000 for sending thousands of nuisance marketing texts at the height of the pandemic.