Further protection for children's data – the Age Appropriate Design Code

Across Europe, nation states and their regulators continue to develop new legislation, codes of practice and recommendations on data privacy and related areas. Despite being in a period of transition after leaving the EU, the UK is no exception. The Data Protection Act 2018 (DPA18) required the UK's Information Commissioner to prepare a number of Codes of Practice to provide guidance on specific types of data processing. s121 requires the ICO to prepare a Code of Practice on standards of age appropriate design of relevant information society services which are likely to be accessed by children.

Following a period of consultation, the final draft of the Age Appropriate Design Code (the AADC) has been published by the ICO. In late November 2019, the AADC was submitted to the Secretary of State, meeting the statutory deadline. It is now up to the government to lay the AADC before Parliament for approval.

Although the time scale for approval of the AADC is still unclear, the ICO has announced that there will be a twelve-month implementation period after it comes into force. This is a welcome shift from the shorter time frame initially proposed. For many organisations a year will be easily sufficient to enable them to consider and respond to the AADCs requirements but for others it will be a significant challenge – particularly those who offer services that are not designed for children but are still likely to be accessed by them.

The AADC contains 15 interconnecting provisions (revised down from 16 following the consultation period) that set out the requirements online services must meet to make their services suitable for children. Topics range from data minimisation to connected toys. When in force, the AADC will sit alongside the DPA18, to provide structure and detailed guidance to service operators' data privacy compliance efforts, as well as standards for the regulator to consider when determining the fairness or otherwise of processing activities.

How was the Code developed?

The Code owes its existence in large part to a number of campaigners who insisted upon amendments to the DPA18 as it was going through Parliament. 5Rights, one of the most prominent groups, described the Code as "a new deal between children and the tech sector" adding "It will redress the balance between the needs and safety of children and the commercial interests of online services". To see a campaigning group welcome the work of a regulator so warmly and without hesitation could be viewed as an ominous indication of the amount of work it will take site operators to comply with the new requirements.

In developing the AADC, the ICO was required to consult with relevant organisations as well as parents and children and to consider the UK's obligations as a signatory to the United Nations Convention on the Rights of the Child. The ICO received around 450 responses to the draft code sent out for consultation in April 2019 and states that it has conducted dozens of meetings with trade bodies, industry representatives, campaigners and individual organisations. It is unclear how many actual children (if any) were consulted as part of the process.

What does the AADC do?

The AADC contains guidance on standards of age-appropriate design for information society services likely to be accessed by children, not just sites actively targeting children. This will prove challenging for many site operators since information society services of various sorts can be found across a large number of sites, apps and portals covering a huge swathe of online activity.

The ICO has further determined that the Code will apply to users under the age of 18 whereas the GDPR tends to focus on under-16s, particularly in relation to digital consent. This will pose particular difficulties for operators whose services do not target children but may be accessed by individuals of all ages, for example, news sites and aggregators which are likely to be accessed by older teenagers. They will need to work out what age range to pitch not only the policies and privacy notices but also the design and functionality of the whole site. Many operators may risk non-compliance rather than aiming to meet the needs of the youngest possible user.

Potential compliance issues

Challenges that clients have already experienced include:

The meaning of "likely"

The AADC refers to services "likely to be accessed by children" and "likely to be used by under-18's". The ICO says that "likely" means the possibility of access by children is "more probable than not" but does the Code apply if it's more probable than not that an occasional child may access the service or where a very small proportion of a site's users are under 18 but the site has millions of users?  Even in these situations, it is likely that the site will be caught by the requirements of the AADC.

Scope creep

The AADC arguably goes beyond the remit set for it in the DPA18. It asks service providers to consider issues such as the need for screen breaks and general user welfare (avoidance of online grooming, sticky or nudge techniques and peer pressure) that are not directly related to privacy.

Conflicting obligations

The AADC attempts to balance the interests of children with the need to protect them but in practice this can be a big challenge. The AADC recognises the importance of parental support and supervision but those trying to implement it are also bound to respect the privacy rights that children have even against their parents. It is also important to remember that as many children are spending significant periods of time online they may well be far more technologically and indeed privacy aware than their parents, even from a relatively young age.

Additional data risks

Managing processes around age verification can lead to further privacy risks. The need to treat all users as if they were children by default is likely to lead to some services restricting access which will impede the freedom of assembly and communication of children in unanticipated ways. It is also likely that we will see a growth in the use of data verification techniques, many of which require the collection of additional personal data to determine a user's age in a way that runs counter to data minimisation goals and inevitably leads to larger and more detailed volumes of information being processed and at risk from cyberattack.

UK industry impact + Brexit

The AADC will not apply to organisations with no establishment in the UK and whose lead supervisory authority is not the ICO. There is a risk that the AADC will be the start of divergence from the EU27 and a loss of regulatory alignment on privacy. In addition, the cost of compliance may make organisations think twice about choosing the UK as a base for operations.