Codes of Practice are a useful tool that legislators provide to regulators – usually allowing or even requiring the regulator to publish standards against which behaviours will be assessed. And this is very much the case with our data protection laws.

Coming into effect shortly, is a code of practice setting requirements that the tech industry take child privacy ever more seriously. The code will be known as  “Age appropriate design: a code of practice for online services”.

There is an allowance of a year being provided to give businesses that interact with children (in this case up to 18 years of age) the opportunity to recognise the requirements of the Code in the products and services delivered.

Notwithstanding a fairly lengthy gestation period many businesses will have been unaware of this development and the potential impact on their business, prior to recent media coverage of its implementation. The code has application to all “information society services” that are likely to be accessed by children. In the view of ICO – and lawyers do not disagree with this – most online services are likely to be categorised as information society services – making the code applicable to a multitude of online services ranging from search engines through to websites offering to sell goods and services to consumers. Even the software driving connected toys and other devices will be caught by the code.

What expectations does the code set?

 At the heart of the code is recognition that extra steps should always be taken to help children understand when and how their personal data may be captured and what might happen to that personal data. Service providers must always be ready to demonstrate that they have placed the best interests of children foremost in the manner they have designed and operate the service they offer.

No less than 15 criteria are included in the code, many being aspects of the web experience children encounter where privacy issues should be addressed. Expectations set include ensuring that high privacy settings are applied by default, limiting the way personal data is treated and being able to demonstrate that the minimum possible quantum of personal data is being captured and processed through the service. Particular care is to be taken where profiling is involved and providing parental management for privacy controls is encouraged.

If I am convinced that the service I provide will only be accessed by adults should I relax?

 Not necessarily!  ICO can require you to provide convincing evidence that the assumption you make is valid. Sites that are intended for adults may nevertheless be attractive to children and that would be enough to make them services which children are “likely” to seek to access. You might have to provide evidence such as market research findings, or place gates on the internet access to your service that will control access effectively, to escape further obligations under the code. Regularly revisiting the validity of the assumption will also be expected.

Is the code legally binding?

The short answer is no but the long answer is rather more complicated. A code of practice of this kind will carry significant evidential weight in circumstances in which ICO are considering compliance with data protection law and the specific protections provided to children. Following the code will be regarded as a key measure of the overall compliance demonstrated. Think of the Highway Code in relation to driving – if someone is not following the code and they have an accident, that will be very compelling evidence of their lack of care and attention.

Not everyone agreed with ICO that the code will be an effective tool in practice – what issues have been raised with ICO?

There are a number of concerns with the adoption of the code. Quite how decisions around design can be truly effective across an age range from say 2 or 3 up to 18 causes much head scratching. Businesses that genuinely want to dissuade children from accessing services point also to the absence of any kind of robust age verification service within the UK. The manner in which privacy information and guidance is delivered to children within a service is an area that will need to receive particular attention.

Businesses will want to demonstrate that they can help children understand the implications for personal data in ways that are effective – just in time style popup windows will be an obvious solution but will this be overly intrusive into the user experience?

Finally, as the full impact of the code is understood, a concern that we are likely to see relates to the reception children will give to new ways of delivering privacy related guidance and information. A frequently expressed concern is the absence of privacy awareness learning within our education system. Having systems in place that make it easier for children to see what happens to their data requires the child, in return, to be able to relate to and make decisions around the risks involved in, for example, changing default settings within a program. We may not be quite there yet in terms of providing service providers with an appropriately informed audience.

To access the full code follow this link: