Whilst the internet caters to people of all ages, there are undoubtedly certain elements that are unsuitable for children. In the context of data protection, organisations with an online presence are able to amass large quantities of personal data about the children visiting their website on a daily basis with relative ease.
Understandably, there is a widespread consensus towards protecting the personal data of those under the age of 18 when using online services. This has prompted the recent introduction of the Children’s Code (the “Code”, formerly known as the Age Appropriate Design Code).
What is the Code?
The Code itself contains 15 guiding standards that should be met by organisations operating websites and any other online services likely to be accessed by children.
It is not intended to replace an organisation’s legal obligations under the General Data Protection Regulation (the “GDPR”) (as implemented by the Data Protection Act 2018), which already impose additional rules for childrens’ personal data. Instead, the Code is meant to provide further guidance on how organisations can comply with their data protection obligations to children accessing their platforms.
One of the guiding standards under the Code is the principle that a child’s best interests should be the primary consideration during the design and development of online services that are likely to be accessed by children. As well as being in accordance with the GDPR, this is in line with international standards of child protection (such as Article 3 of the United Nations Convention on the Rights of the Child).
Additional standards include ensuring that:
- online services are age appropriate and in clear language suitable for children;
- geolocation and tracking options are switched off by default; and
- websites do not use nudging techniques to encourage children to provide unnecessary personal data.
When must organisations comply?
Although the Code came into force on 2 September 2020, there is a one year transition period for organisations to ensure that their online platforms conform to the Code, ending on 2 September 2021.
During this period, the Information Commissioner’s Office (the “ICO”), as the independent regulator responsible for governing data protection in the UK, will be providing support and additional information to organisations to help them prepare for when the Code takes full effect.
After the end of this transition period, if organisations are found to have not followed the Code, their non-compliance will be taken into account by the ICO and any court in the event of a breach of wider data protection law. Moreover, non-compliance will make it harder for organisations to demonstrate they have complied with their legal obligations under the GDPR.
How can organisations ensure compliance?
Affected organisations will need to review the standards and guidance contained in the Code, and where appropriate, follow any steps recommended by the ICO.
In the first instance, organisations should review their existing procedures and online systems and then decide whether these need to be updated to reflect the new guidance. The ICO is also offering support and advice to organisations to help ensure their compliance with the Code.
Although the Code is intended to act as a guide for organisations that operate online services likely to be accessed by children (and is therefore non-binding), the ICO seem to suggest that failure to adhere to the Code will adversely impact an organisation in its wider data protection compliance.
On that basis, it is important for organisations that are likely to be affected to properly consult and implement the measures required under the Code.
If your business is likely to be affected by the introduction of the Code discussed above, the Data Protection Team at Leathes Prior would be happy to assist and provide advice on meeting your data protection obligations. Please contact us on 01603 281141 or email@example.com for more information.