United Kingdom

[GB] ICO publishes its Age Appropriate Design Code of Practice

IRIS 2020-4:1/17

Alexandros K. Antoniou

University of Essex

On 21 January 2020, the Information Commissioner’s Office (ICO), the United Kingdom's independent body established to uphold information rights, published its Code of Practice which should be followed by online services to protect children’s privacy.

The Age Appropriate Design Code of Practice, the first of its kind, is a statutory code required under Section 123 of the Data Protection Act 2018. It seeks to address the increasing concern about the position of children in the modern digital world and to create a safe online space for them in which they can explore, learn and play. The Code shall apply to information society services which are likely to be accessed by under-18s in the United Kingdom; this covers providers of online products or services such as apps, social media platforms, search engines, online games, educational websites and streaming services, as well as children’s toys and other devices which are supported by functionality provided through an Internet connection. The Code is not, however, restricted to services specifically targeting children.

The Code adopts a risk-based approach and sets out standards of age appropriate design which aim to ensure built-in data protection for children when they are playing or learning online. In recognition of the fact that varying services require different technical solutions, these standards represent “a set of technology-neutral design principles and practical privacy features” that set a benchmark for the protection of children’s data. This means that privacy settings should be set to high by default and nudge techniques should not be used to prompt children to turn off privacy protection or provide unnecessary personal data. Privacy information provided to users (including terms, policies and community standards) must be concise, displayed clearly and prominently in a child-friendly way and tailored to the age of the user.

Moreover, geolocation options which indicate the geographical location of the user’s device (for example, GPS data or data concerning connections with local Wi-Fi equipment) should be switched off by default and an “obvious sign” should alert children when location tracking is active. Only the minimum amount of data needed to provide elements of the service should be collected and retained, and children should be given separate choices over the elements of the service they wish to use. The use of data to determine children’s personal preferences and interests in order to deliver targeted content (also known as profiling) should only be permitted if sufficient measures are in place to protect children from content that is detrimental to their health or well-being. Finally, the Code emphasises that the best interests of children should be a primary consideration when online services likely to be accessed by them are designed and developed, and that “prominent and accessible” online tools should be provided to assist them in exercising their data protection rights and reporting concerns.

The Code will be notified to the European Commission and laid before Parliament for approval. Businesses will subsequently be given a 12-month transition period from the date the Code takes effect to implement any necessary changes. It is anticipated that the Code will come into force in Autumn 2021 and will be enforced by the ICO. The regulator has warned that online service providers who fail to conform to the standards in the Code are likely to encounter difficulties in demonstrating that their processing was fair and in compliance with the Privacy and Electronic Communications Regulations (PECR) and/or General Data Protection Regulation (GDPR), potentially triggering regulatory action.


This article has been published in IRIS Legal Observations of the European Audiovisual Observatory.