Under section 123(1) of the Data Protection Act 2018 (the “DPA”) the UK’s supervisory authority, the Information Commissioner (the “ICO”), must prepare a code of practice which contains such guidance as the ICO considers appropriate on standards of age-appropriate design of relevant information society services (ISS) which are likely to be accessed by children. The draft age-appropriate design code has been prepared by the ICO in accordance with section 123(1) DPA.
‘Relevant’ ISS are those which involve the processing of personal data to which the General Data Protection Regulation (GDPR) applies (section 123(7) DPA). Relevant services include apps, programs, websites, games, community environments, and connected toys or devices with or without a screen that process personal data and are likely to be accessed by children in the UK.
We consider the code to be notifiable under the Technical Standards Directive as it places requirements on ISS to design services in order to comply with the GDPR.
Age Appropriate Design Code
The draft code provides practical guidance for relevant ISS on how to design data protection standards into online services to ensure they are appropriate for use by, and meet the development needs of children.
It reflects the UK’s obligations under the United Nations Convention on the Rights of the Child (UNCRC), which recognises that children need special safeguards and care in all aspects of their life. It also helps organisations comply with the general principles in the GDPR. In particular it sets out practical measures and safeguards to ensure processing under the GDPR can be considered fair, lawful and transparent in the context of online risks to children.
The code sets out 15 standards of age appropriate design. The focus is on providing default settings which ensure that children have the best possible access to online services whilst minimising data collection and use, by default. It also aims to ensure that children who choose to change their default settings get the right information, guidance and advice before they do so, and proper protection in how their data is used afterwards.