One in five United Kingdom ("UK") internet users are under 18, and, according to the UK's Information Commissioner Office (the "ICO"), "are using an internet that was not designed for them." Under the UK's Data Protection Act 2018 ("UK DPA"), the ICO was required to issue a statutory code of practice setting out standards which will apply to online or connected products or services that (i) process personal data and (ii) are likely to be accessed by anyone under the age of 18 in the UK. This code of practice is referred to as the "Age Appropriate Design Code" (the "Code").
As children's privacy continues to be one of the primary areas of concerns for legislators and privacy advocates, the Code reflects a global direction of travel with similar reforms being considered in the USA, Europe and globally by the Organisation for Economic Co-operation and Development ("OECD"). The Code went into effect on 2 September 2021. In this update, we cover what the Code is, who the Code applies to, how the Code will be enforced, what organisations need to do to comply with the Code, how the code will impact businesses and what you can do.
The Code is not a new law. The UK DPA is the UK's primary data protection legislation which implements the provisions of the UK General Data Protection Regulation ("GDPR") into national law. The Code was produced by the ICO to meet its obligation under s.123 (1) of the UK DPA to prepare a code of practice which it considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children.
The Code does, however, explain how the UK GDPR will be applied by the ICO in the context of digital services which process the personal data of anyone who is under 18 years old. The Code sets out 15 headline design standards that companies should implement to ensure their services appropriately safeguard children's personal data and process children's personal data fairly.
From 2 September 2021, when UK regulators, public interest groups and individual data subjects are considering if an organisation which offers online or connected products or services likely to be accessed by anyone under the age of 18 in the UK is compliant with the UK GDPR, the Code will be used as a benchmark to assess the level of compliance.
The Code applies to "relevant information society services which are likely to be accessed by children" in the UK and which process personal data. This includes apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet.
The scope of the Code is wide. The Code has adopted the UN definition of "child," which means that the Code applies to anyone under the age of 18. As such, the scope is much wider than the Federal Trade Commission's ("FTC") Children's Online Privacy Protection Act ("COPPA") in the United States ("U.S.").
Further, the Code is not restricted to products designed specifically for children. The test for applicability is whether the product or service is "likely to be accessed by children," which has been defined as meaning that it is "more probable than not" that children will access it. As a result, the Code will likely apply even to circumstances where only small numbers of children may have access to the relevant products or services.
In addition, the Code has extraterritorial effect. The Code applies to any companies that offer products and services available in the UK. For example, U.S.-domiciled gaming companies, which offer games which are likely to be accessed by children in the UK, will be caught by the provisions of the Code. Similarly, the Code applies to online services based outside the UK that have a branch, office or other "establishment" in the UK and process personal data in the context of the activities of that establishment.
The UK DPA explicitly states that a "failure by a person to act in accordance with a provision of a code issued under section 125(4) does not of itself make that person liable to legal proceedings in a court or tribunal."
However, it is anticipated that the ICO will refer to the Code to inform its enforcement of the UK GDPR and/or PECR where the processing activities fall within the remit of the Code. In addition, other parties, such as public interest groups, individual claimants and representative actions, will also seek to rely on the Code when bringing civil claims alleging noncompliance with the UK GDPR and/or PECR. The UK DPA envisages this noting that the Code is "admissible in evidence in legal proceedings" if the Code is in force at the time and is relevant to the matter at hand.
As such, although the Code itself is not law, a breach of the Code may form the evidential basis for a successful argument that the UK GDPR and any breach of UK GDPR may lead to significant enforcement actions, regulatory fines and civil claims.
We have established the Code has a wide scope, applies to UK and non-UK companies and can form the evidential basis for an allegation of a breach of the GDPR. So, what is the substance of the Code and how can companies comply with it?
The Code, like the UK GDPR, is principle-based, which means it is not a "checklist" and, as such, careful consideration needs to be given to the 15 principles.
The Code can be daunting; it is unchartered territory and there is no one size fits all approach. Here are six steps that can serve as a launchpad for your Code compliance program.