One in five United Kingdom ("UK") internet users are under 18, and, according to the UK's Information Commissioner Office (the "ICO"), "are using an internet that was not designed for them." Under the UK's Data Protection Act 2018 ("UK DPA"), the ICO was required to issue a statutory code of practice setting out standards which will apply to online or connected products or services that (i) process personal data and (ii) are likely to be accessed by anyone under the age of 18 in the UK. This code of practice is referred to as the "Age Appropriate Design Code" (the "Code").
As children's privacy continues to be one of the primary areas of concerns for legislators and privacy advocates, the Code reflects a global direction of travel with similar reforms being considered in the USA, Europe and globally by the Organisation for Economic Co-operation and Development ("OECD"). The Code will apply starting on 2 September 2021. In this update, we cover what the Code is, who the Code applies to, how the Code will be enforced, what organisations need to do to comply with the Code, how the code will impact businesses and what you can do.
What is the Age-Appropriate Design Code?
The Code is not a new law. The UK DPA is the UK's primary data protection legislation which implements the provisions of the UK General Data Protection Regulation ("GDPR") into national law. The Code was produced by the ICO to meet its obligation under s.123 (1) of the UK DPA to prepare a code of practice which it considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children.
The Code does, however, explain how the UK GDPR will be applied by the ICO in the context of digital services which process the personal data of anyone who is under 18 years old. The Code sets out 15 headline design standards that companies should implement to ensure their services appropriately safeguard children's personal data and process children's personal data fairly.
From 2 September 2021, when UK regulators, public interest groups and individual data subjects are considering if an organisation which offers online or connected products or services likely to be accessed by anyone under the age of 18 in the UK is compliant with the UK GDPR, the Code will be used as a benchmark to assess the level of compliance.
Who Does the Code Apply to?
The Code applies to "relevant information society services which are likely to be accessed by children" in the UK and which process personal data. This includes apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet.
The scope of the Code is wide. The Code has adopted the UN definition of "child," which means that the Code applies to anyone under the age of 18. As such, the scope is much wider than the Federal Trade Commission's ("FTC") Children's Online Privacy Protection Act ("COPPA") in the United States ("U.S.").
Further, the Code is not restricted to products designed specifically for children. The test for applicability is whether the product or service is "likely to be accessed by children," which has been defined as meaning that it is "more probable than not" that children will access it. As a result, the Code will likely apply even to circumstances where only small numbers of children may have access to the relevant products or services.
In addition, the Code has extraterritorial effect. The Code applies to any companies that offer products and services available in the UK. For example, U.S.-domiciled gaming companies, which offer games which are likely to be accessed by children in the UK, will be caught by the provisions of the Code. Similarly, the Code applies to online services based outside the UK that have a branch, office or other "establishment" in the UK and process personal data in the context of the activities of that establishment.
How Will the Code Be Enforced?
The UK DPA explicitly states that a "failure by a person to act in accordance with a provision of a code issued under section 125(4) does not of itself make that person liable to legal proceedings in a court or tribunal."
However, it is anticipated that the ICO will refer to the Code to inform its enforcement of the UK GDPR and/or PECR where the processing activities fall within the remit of the Code. In addition, other parties, such as public interest groups, individual claimants and representative actions, will also seek to rely on the Code when bringing civil claims alleging noncompliance with the UK GDPR and/or PECR. The UK DPA envisages this noting that the Code is "admissible in evidence in legal proceedings" if the Code is in force at the time and is relevant to the matter at hand.
As such, although the Code itself is not law, a breach of the Code may form the evidential basis for a successful argument that the UK GDPR and any breach of UK GDPR may lead to significant enforcement actions, regulatory fines and civil claims.
What Are the Requirements of the Code?
We have established the Code has a wide scope, applies to UK and non-UK companies and can form the evidential basis for an allegation of a breach of the GDPR. So, what is the substance of the Code and how can companies comply with it?
The Code, like the UK GDPR, is principle-based, which means it is not a "checklist" and, as such, careful consideration needs to be given to the 15 principles.
What Is the Impact of the Code on Businesses?
- Primary consideration of the best interests of the child and limitations on nudge techniques. Online services and products which fall within the remit of the Code will need to be designed and developed with the primary consideration of the "best interests of the child." This encapsulates the needs of child users and how to best support those needs in the design of the online services, giving consideration to how, in a business's use of their personal data, children can be kept safe and how their health, well-being and development can be protected and supported. This could be in direct contrast to the commercial objectives of the business and will impact numerous practices, including marketing practices directed to children to buy advertised products and mechanisms which encourage user engagement leading to increased screen time.
- The need to apply stricter default settings. All data collection and analytics, even for the purpose of "service enhancement," can no longer be collected by default. Again, this will likely have a significant business impact, in particular affecting apps targeted towards children, limiting their ability to use data from the UK, even for service improvement or analytics functions. Notably, this is in contrast to COPPA, which does not require parental consent in situations where a child's data is used only for optimisation, personalisation, statistical reporting and other functions necessary to analyse and support the "internal operations" of the service.
- Parental controls and a child's right to privacy. The Code requires that children must be notified when a parent is monitoring their activity and highlights that children can have rights contrary to their parents. This is another potential conflict with COPPA, which mandates that operators of services directed to children under 13 give parents the unfettered ability to access and delete personal information that a service collects from their children.
Orrick's Code Compliance Launchpad – Six Steps to Start Now
The Code can be daunting; it is unchartered territory and there is no one size fits all approach. Here are six steps that can serve as a launchpad for your Code compliance program.
- Understand your users. Determine whether the services you offer are "likely" to be accessed by children in the UK. You would need to consider: i) if the nature and content of your service would have a particular appeal for children; and ii) how your service is accessed in the UK as a result, such as whether there are any measures in place to prevent children gaining access. Consider whether it is possible to segment your services into those which are likely to be accessed by children and those which are not, and whether those children fall into one or more age ranges.
- Consider technical measures to control access to certain user groups. If you determine that some/all of your services are likely to be accessed by children in the UK, consider if you want to: i) put in place self-certification to place the onus on the user; or ii) use technical age gating methods to prevent children (or children of certain age ranges) accessing your services (such as making any paid elements payable only using a credit card, as opposed to other payment method).
- Consider the Code itself. The Code is not prescriptive and, ultimately, it is for each organisation to determine how best to apply the guidance. It will be important to assess the 15 standards contained in the Code to determine what is technically and operationally possible and whether to adopt a risk-based approach to compliance with certain aspects of the Code.
- Conduct a Data Protection Impact Assessment (DPIA). Utilise the DPIA process to document: i) the potential risks to children of different age ranges (including likelihood of access); and ii) what safeguards you can put in place to mitigate those risks with an emphasis on privacy by default.
- If necessary, consider tailored user experiences. Where necessary and appropriate, consider to what extent you can offer tailored experiences to different age groups, including child-friendly privacy disclosures in privacy policies and "just in time notices".
- Assess the impact on your wider privacy programme. Analyse how children's privacy fits into larger compliance programmes in all the geographic regions in which you offer services.