The Children’s Code (formally known as The Age Appropriate Design Code), provides protection for children up to the age of 18 when they visit online services. The Code came into force on 2nd September 2020 with a 12-month transition period, giving organisations time to prepare. All social media and online services used by children in the UK will need to conform to the Code when it comes into full effect from 2nd September 2021.
What is the Children’s Code?
The Code sets out 15 standards that online services must follow to comply with the obligations under UK Data Protection Law to protect children’s data whilst they are online. The Code applies to all major social media and online services used by children in the UK such as apps, search engines, online games and websites selling services and goods.
These standards include:
• providing privacy settings that are high by default;
• switching off geo-location services that can reveal a child’s location to the world; and
• not using not using nudge techniques and notifications to encourage children to provide more personal data.
The aim of the Code is to protect children’s privacy when they’re online, making sure online services safeguard children’s personal data as well as providing default settings to allow children to have the best possible access to online services, whilst minimising data collection and data use by default.
Why do we need the Children’s Code?
Children are being ‘datafied’ as they grow up with organisations recording information about them when they use online services. The information recorded can include details about their mood, friendships, location and what time they wake up and go to bed.
Implementing the Children’s Code helps make sure that the best interests of the child are taken into account. The Code will help empower both adults and children and reassure parents that services are dealing with children’s personal data accordingly and they are appropriate for children to use.
What action should Charities take to protect children’s data in line with the Children’s Code?
Step one – Determine whether the charity provides an online service within the scope of the Code.
If a charity provides a service designed for and aimed specifically at under-18s, then the Code applies. The Code also applies to services that aren’t specifically aimed or targeted at children but are nonetheless likely to be used by under-18s. If you do not believe your organisation to be in the scope of the Code, you should keep a record of your decision.
Step two – Complete a Data Protection Impact Assessment (DPIA).
If a charity falls within the scope of the Code, a DPIA should be completed. A DPIA is a process to help assess and mitigate the data protection risks of an online service, and to the rights of children who are likely to access it. A DPIA will help draw out and document the questions which will need to be answered to conform with the Children’s Code. It will also help identify risks and design appropriate changes to the online service to reduce the risks and to conform with the Code.
Step three – Create an implementation plan.
Creating an implementation plan or roadmap will help make sure all planned steps to comply with the Code are taken before the 2nd September 2021 deadline. It will also help show that the Charity is serious about complying with the Code.
What are the implications to those who do not comply by 2nd September 2021?
The Children’s Code is legally enforceable. Organisations that do not follow the Code could face enforcement action by the ICO which includes compulsory audits, orders to stop processing and fines of up to 4% of global turnover.
If you need any help developing your data protection policy please get in touch with our Legal Team