A statutory ICO code requiring organisations to provide better online privacy protections for children came into force on 2 September 2020, triggering the start of a 12 month transition period.
The Age Appropriate Design Code, or Children’s Code, applies to organisations providing online services and products likely to be accessed by children up to age 18, and gives firms one year to make the necessary changes to put children’s privacy at the heart of their design.
Fifteen standards are set out for designers of online services and products and how they should comply with data protection law. The code will require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website.
The code breaks new ground as regulatory guidance focused on a ‘by design approach’ and is a huge step towards protecting children online, especially given the increased reliance on online services at home during Covid-19. All the major social media and online services used by children in the UK will need to conform to the code.
Information Commissioner Elizabeth Denhams commented: “A generation from now we will all be astonished that there was ever a time when there wasn’t specific regulation to protect kids online. It will be as normal as putting on a seatbelt.
“This code makes it clear that kids are not like adults online, and their data needs greater protections. We want children to be online, learning and playing and experiencing the world, but with the right protections in place.
“We do understand that companies, particularly small businesses, will need support to comply with the code and that’s why we have taken the decision to give businesses a year to prepare, and why we’re offering help and support.”
Organisations are being called on to get in touch to highlight the extra help they may need to understand the new code. Based on their feedback, the ICO is spending the next year developing a tailored package of support to help organisations adapt their online products and services before 2 September 2021.
The code is risk-based, which means it does not apply to all organisations in the same way. Those responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services that use, analyse and profile children’s data, are likely to have to do more to conform to the code.
- ICO fines Marriott £18.4m over major customer data breach
- Data Protection Summit 2020 | The biggest ICO fines ever issued
- ICO political data audit highlights ‘significant’ data protection failings
The ICO’s new web hub is a starting point for all those responsible to get the necessary help and support. A series of webinars, held throughout September, will support members of trade associations in the gaming, video streaming, social media and connected toys sectors.
It is also interested in hearing from innovators concentrating on cutting edge personal data projects dealing with the issues posed by the implementation of the Children’s Code. It is inviting organisations to apply for places in its free regulatory Sandbox.
The Sandbox is designed to support organisations using personal data to develop innovative products and services and accepts applications from all types of organisations from start-ups, SMEs and large organisations, across private, public and voluntary sectors.
More resources will be added to the ICO’s website including a toolkit for organisations to help assess whether they need to comply with and details of workshops on assessing risk.