3 minute read | May.18.2023
Following the introduction of the Age-Appropriate Design Code (the Code) on 2 September 2021, companies have questioned whether the Code applies to their online service. A recent consultation by the ICO seeks to clarify when an online service will be considered to fall within the scope of the Code. For background on the Code itself, please see our earlier update, “The UK's Age-Appropriate Design Code in Effect.”
What is the focus of the ICO’s draft guidance?
As outlined in the Code, organisations fall within the scope of the Code if their online service is likely to be accessed by children. What this means in practice has generated some confusion among online service providers. In a bid to provide some clarity, the draft supplementary guidance issued by the ICO focuses on clarifying when an online service is ‘likely to be accessed’ by children and includes some FAQs, a list of factors that should be considered during an assessment and practical case studies for illustration purposes.
What does likely to be accessed by children mean?
The ICO notes that the Code applies to online services that are:
What is a “significant number of children”?
The ICO states that “significant” “does not mean that many children must be using the service or that children form a substantial proportion of your users”, rather it means there are more than a “de minimis or insignificant number of children using the service”.
In establishing whether the number of children accessing the service is significant, the ICO has provided some examples of factors that can be considered by the organisation when carrying out the assessment, such as:
How can organisations demonstrate that they have assessed the above?
The primary mechanism recommended for documenting such an assessment is a Data Protection Impact Assessment. The ICO recommends that the assessment should consider each of the factors on its list of example measures.
Importantly, even if you decide that the Code does not apply to your service, the ICO still expects that you document your reasoning for such a decision.
Additionally, if you have determined that the Code does not apply to your service, you should ensure you have your internal metrics collated and available for inspection by the regulator to support this conclusion. If a regulator receives complaints about children using your service or relies upon anecdotes from press reports for example, it will be important to have evidence to the contrary available for rebuttal. This evidence should be kept up to date and be subject to ongoing review.
What is the status of the guidance?
The content of the draft guidance is currently being consulted on, with feedback to be submitted by stakeholders by 19 May 2023. The ICO will review any feedback which it has received during the consultation and subsequently issue its updated guidance.
If you have questions about the Code, please contact Orrick’s Cyber, Privacy & Data Innovation Group.