Data Protection: Age Appropriate Design Code
Published 4 September 2020
The Information Commissioner’s Office’s (ICO’s) Age Appropriate Design Code came into force on 2 September 2020. The purpose of the Code is to ensure that online organisations and services limit the amount of data they collect from children. Organisations will have 12 months to comply with the Code.
Under the Data Protection Act 2018 (DPA), the ICO is required to prepare certain codes of practice, one of which shall cover standards of age-appropriate design. This Code is one of four statutory codes the ICO is required to prepare. The other three include the data-sharing code, the direct marketing code and the data protection and journalism code.
The Code applies to all ‘information society service’ which can be defined as any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of service. The Code will apply to a large pool of organisations, including apps, programs, websites, games or community environments, and connected toys or devices with or without a screen. If you provide the relevant online services, this Code will apply to you.
The Code contains 15 standards for designers of online services and products, and sets out practical measures and safeguards on the following matters:
best interests of the child
data protection impact assessments
age appropriate application
detrimental use of data
policies and community standards
The ICO will now be required to consider the Code when considering whether an online service has complied with its data protection obligations under the General Data Protection Regulation or the Privacy and Electronic Communications Regulations (PECR), in particular in respect of questions of fairness, lawfulness, transparency and accountability.
One should also expect the Code to be used in evidence in courts proceedings where relevant.
There is no prescribed offence for breaching the Code; however, organisations who fail to follow the standards set by the Code could likely be found to be breaching their obligations under the DPA or PECR, which will be actionable offences.
The ICO has a wide-ranging enforcement power, including, assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, we have the power to issue fines of up to €20 million (£17.5 million when the UK GDPR comes into effect) or 4% of your annual worldwide turnover, whichever is higher.
Should you require any further information on the above please contact Wattey Kemnay in our Corporate team.
This article is for general guidance only and should not be regarded as a substitute for professional legal advice.