Earlier this week the British media were full of reports of the “Age Appropriate Design Code”. It had just been published by the Information Commissioner’s Office (ICO), the UK’s data protection authority. The Code’s provisions are likely to become fully operative in little over a year.
The Code’s title has a slightly nerdy feel, suggesting it might provide advice about the best sorts of layout and colours to use on web sites aimed at young people, but the only other one I could come up with was “The Code That Tells Online Businesses How To Handle Children’s Data And Respect The Privacy Rights Of Under-18s”. The ICO’s one is better.
The Code owes its existence to the Data Protection Act 2018. This was the Act which adopted the EU’s GDPR into UK law. However, the redoubtable Baroness Kidron, supported by a wide range of children’s organizations, other Peers and the 5 Rights Foundation, spotted weaknesses in the European instrument and proposed an amendment which was then accepted by both Houses of Parliament.
The resulting Code does not conflict with the GDPR in any way. Rather it makes things more explicit and in so doing strengthens them and therefore makes it more likely they will be honoured by businesses and other organizations.
The code further nudges businesses towards making sure they know who is visiting their sites or using their services. Sites cannot continue to say “this site or service is meant only for adults” and then take no meaningful steps to keep out “non-adults”.
There is a risk of getting overly theological about whether or to what extent the nature of the content of a site can be wholly disregarded when considering the data processing dimensions of its activities. My hunch is the nature of the site itself will be hugely relevant though I am certain many lawyers will be greatly enriched by arguing the exact opposite.
A child is anyone under 18
The GDPR, the Code and UK law adopt the UNCRC standard of 18 to define who is a child. Recital 38 of the GDPR says the following
“Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.”
Within the UK jurisdiction the Code puts flesh on the bones of that statement which, incidentally, because it is a Recital not an Article is not in fact law.
There is no point me rehashing the 15 provisions of the Code. The 5 Rights Foundation has published its own handy summary which you can see here.
My two top picks
All 15 points of the Code are important but for me two stand out. These are
5. ” Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or Government advice.”
To clarify things the ICO adds this
“We mean any use of data that is obviously detrimental to children’s physical or mental health and wellbeing or that goes against industry codes of practice, other regulatory provisions or Government advice on the welfare of children.”
and then there’s
6. “Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).”
In the latter case, against the possibility that you did not fully understand what the ICO intended, again they helpfully spell it out
“We mean that you need to adhere to your own published terms and conditions and policies.
We also mean that, when you set community rules and conditions of use for users of your service, you need to actively uphold or enforce those rules and conditions.”
Once more, I couldn’t have put it better myself.