What is the ICO Children’s Code?

18th August 2021

The ICO’s Age Appropriate Design Code, also known as the Children’s Code, sets out 15 standards that organisations must meet to ensure that children’s experiences and personal data is protected online.

It came into force on 2 September 2020 with a 12-month transition period to help companies prepare and implement the code. The Code has statutory force.

The Code applies to all online services used by children in the UK and includes measures such as providing default settings which ensure that children have the best possible access to online services whilst minimising personal data collection and use.

The Code is not a new law. Instead, it sets standards and explains how the UK General Data Protection Regulation applies in the context of children using digital services.

Who counts as a child under the Code?

A child is any person under the age of 18. A great number and variety of services are likely to be accessed by 16 or 17-year-olds meaning that the Code will apply to a number of general audience sites and services, from mainstream news sites and social media to sports bodies. In addition, many young people are growing up only ever experiencing some everyday services online, such as online banking and job applications, widening the scope further.

What are the 15 standards organisations need to meet?

The ICO standards include acting in the best interests of the child, conducting child-specific data protection impact assessments, having settings which are “high-privacy” by default for all children, offering choices to opt-out of data processing which isn’t necessary for the core service, avoiding nudges to lower-privacy options, and providing certain information to help under 18s to understand and access their privacy rights.

Applying the standards of the Code is not just a legal issue. The Code seeks to influence how services are presented to children and therefore has implications for technology development, design, marketing and operations.

Who needs to comply with the code?

If your organisation provides content, goods or services online, which could be appropriately accessed by a person under the age of 18, you are likely to be covered by the Code.

This wide reach is because the Code applies to “information society services likely to be accessed by children”. An information society service (ISS) is “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

The definition of ISS does not just apply to buying and selling goods and services online. It encompasses nearly all content consumed electronically including many apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet.

These services are in scope even if the ‘remuneration’ or funding of the service doesn’t come directly from the child. For example, an online game or search engine that is provided free to the end user but funded via advertising, still comes within the definition of an ISS.

What about information services which are not aimed or targeted towards children?

If your online service is likely to be accessed by those under the age of 18, even if it’s not specifically targeted at them, then you are covered by the Code.

The ICO has acknowledged that the phrase “likely to be accessed by children” gives the Code a wide reach as it is intended to apply to all information society services which children access in reality, not just those which are specifically aimed at children.

This means that organisations will need to consider whether, in practice, their service is likely to be accessed by children, taking into account the nature and content of the service and the way in which the service is accessed. For example, sister websites to popular TV shows will need to think about the real age of their audience rather than the intended age. Additionally, online services that are age-restricted will need to be rigorous in how access by children is prevented.

The ICO has also indicated that the above assessment will be an ongoing obligation on organisations. Even if it is judged that children are not likely to access a particular service, if evidence later emerges that a significant number of children are in fact accessing the service, the organisation will need to conform to the standards in the Code or review access restrictions as required.

What happens if organisations don’t comply?

From 2 September 2021, businesses will be expected to meet the 15 standards. The ICO has said it will monitor compliance through proactive audits and complaints and, if an organisation is found not to comply with the Code, it may face warnings, reprimands, stop-now orders, processing bans and significant fines.

The ICO states that protecting the personal data of children is a regulatory priority for them and that conforming to the standards set out in this Code will be a key consideration when assessing an organisation’s compliance with data protection laws generally.

The ICO also publishes the enforcement action it takes, meaning that non-compliance with the Code could lead to significant reputational damage.

If you are worried that your organisation may not be fully prepared by September, please contact Raoul Lumb who will be able to advise on the steps you should take. You can also read our article, ‘What steps should organisations take to prepare for the ICO Children’s code?’.