On January 21, 2020, the Information Commissioner’s Office (ICO) published its final version of its Age Appropriate Design Code of Practice (the code). The code will be submitted to Parliament in the coming days, and, assuming there is no objection, will become effective approximately two months later.
This blog post follows our previous update on the ICO’s draft Age Appropriate Design Code. The current code was produced following extensive industry and consumer engagement. It adopts the maximum transition period of 12 months to allow companies to make meaningful and thoughtful changes to how they operate.
Clarification on the Code’s Scope
Some of the most interesting amendments addressed the controversial scope section, which some contended was paving the way for an age-gated internet.
What services are in scope?
The code applies to any online products or services that are likely to be accessed by children (i.e., anyone under the age of 18). This includes applications, websites, search engines, community environments, programs, games, and connected toys or devices. Although the scope remains unchanged, the ICO has now explained what this means in practice. When considering the likelihood of access by children, a company should consider:
- whether the nature and content of the service is particularly appealing for children, and
- how the service is accessed and the measures implemented to prevent under-age use.
The ICO stresses a common-sense approach:
- Where it is clear cut that a company does not wish children to use its services, it should take steps to verify age (see below on Age appropriate application) and prevent access by children so that the code’s standards do not apply.
- If conversely a company is specifically targeting children, or the company knows it has a substantive user database under 18, the code’s standards will automatically apply.
- In the grey area in between, where a service could be used by children despite them not being the prime target audience, companies should analyze the nature, content, or presentation of the services to assess the extent to which their services are appealing to children. If a company establishes that children will want to use its service, the standards of the code will apply.
Companies should document decisions regarding the application of the code as this will lead to some level of leniency from the ICO.
Impact of Brexit
The transition period following the UK’s exit from the EU is likely to be over by the time the code becomes enforceable. After the transition period, the code will apply to any company targeting or monitoring individuals in the UK, regardless of where they are located. In addition, Elizabeth Denham, the current information commissioner, has stressed that she expects other jurisdictions to use the code as a benchmark.
The code sets out 15 headline “standards of age appropriate design” (the standards) that must be implemented. Each of them is accompanied by explanatory guidance, but compliance will be measured against the standards alone. Given the wide range of risk profiles presented by the services covered by the standards (due to both the broad array of services subject to the code and the variety of data processed), the code advocates for a risk-based and proportionate approach. Some of the key takeaways are set out below.
Age appropriate application
Our earlier blog post discussed the requirement to adapt application of the standards depending on the age range a user falls into (i.e., 0 to 5; 6 to 9; 10 to 12; 13 to 15; and 16 to 17). The final code follows the same approach but provides further guidance as to what this means practically.
This standard requires companies to apply all standards to all users (whether they have self-declared as an adult or child), unless they can establish age with a level of certainty appropriate to the level of risk presented by the processing. This would mean, for example, that all users and not just those identified as being children would have their settings set by default to the highest privacy setting. The code offers some guidance on appropriate age verification methods that can be used to verify what age group an individual falls into, ranging from self-declaration for low risk processing to the use of AI.
Strict default privacy settings
Settings for children must be set by default to the highest privacy setting, except if data processing is necessary for the provision of a company’s core service. The ICO will carefully review a company’s compliance approach if it relies on this exception. The code discusses in some detail situations where this highest privacy setting must be set by default, including a) disclosure (including making visible) of a child’s data to a third party, b) the use of geolocation data, and c) profiling.
Even where the child actively opts in to lower privacy settings, the processing must still comply with the General Data Protection Regulation (GDPR) and the child must be protected from harmful effects. For example, companies profiling children to provide recommendations have a responsibility in relation to the recommendations they make. Furthermore, companies should not use “nudge techniques”, for example by using certain placements or colors, to “nudge” children to follow the less privacy friendly settings. The code goes further and encourages the use of such “nudge” techniques to guide children to options that protect their privacy, and those that support their health and wellbeing, such as encouraging them to take breaks during gameplay and providing means to save progress.
Caution with “sticky features”
Companies should not use children’s data in a way that is detrimental to their wellbeing. This means that companies should exercise caution with “sticky features” (strategies to extend user engagement, such as rewards, notifications, and autoplay features). According to the code, data-driven features that make it difficult for a child to disengage or are addictive, are unlikely to be fair under the GDPR. This includes features that exploit peer pressure.
The Parliament is unlikely to modify the code and we expect that it will remain unchanged. While it will only be enforceable in the next 14 months, companies should consider preparing by assessing whether they are in scope, and by documenting how the standards apply to their users. Then, companies should consider conducting a fuller gap analysis based on the 15 standards, followed by a remediation plan and design changes. Although it may be tempting to wait to see how the market reacts following the transition period, the ICO has stated that enforcement will take into account efforts made during this time.
 The code interestingly opines that if cookies are used solely for age verification purposes, they can be considered essential under the Privacy and Electronic Communications Regulation, meaning consent is not required.