UK children’s code uncertainty persists despite tools to aid compliance

Meghan Higgins and Rosie Nance of Pinsent Masons were commenting after the Information Commissioner’s Office (ICO) published guidance for businesses to support compliance with the code. The guidance provides a step-by-step process for organisations to consider whether they are acting in the best interests of children. It complements other resources the ICO has made available, including a more comprehensive self-assessment risk tool.

The children’s code, officially called the age appropriate design code (AADC), came into force on 2 September 2020 with a 12-month transition period. It aims to ensure that children’s privacy and wellbeing is protected online. The code was the first statutory code of practice in the world addressing the use of children’s data and it was introduced at a time when restrictions associated with the Covid-19 pandemic meant that many children and young people were spending more time online than ever before

The code applies to online services that are likely to be accessed by children under 18, even if children are not the service’s target audience. Both UK-based and non-UK companies are subject to the code if their online services are likely to be accessed by children in the UK. The code is comprised of 15 flexible standards for consideration by online services to improve and protect the experience of children accessing the service.

The first standard under the code requires online services to treat the best interests of the child as a primary consideration when designing and developing online services which are likely to be accessed by a child. The focus on considering and promoting a child’s best interests is derived from Article 3 of the United Nations Convention on the Rights of the Child (UNCRC). The new guidance is designed to help online services comply with this standard.

The ICO has promised to be proactive in requiring social media platforms, video and music streaming sites and the gaming industry to inform them how their services are designed in line with the code. Many of the major online platforms have welcomed the guidance provided by the code and introduced new tools to give young people and the adults responsible for them more control over their experiences online.

The four-step guide now published by the ICO invites businesses to consider the rights of the child, how to identify how those rights might be impacted, the extent of that impact, and what action plan they might put in place to address the risks arising.

According to the ICO, the assessment businesses carry out in following the guidance supports, but does not replace, the formal data protection impact assessment (DPIA) exercise they are likely to have to complete when developing online services to comply with UK data protection law. The AADC provides specific guidance in this context.

“These resources are likely to be welcome to businesses for carrying out the important work of assessing whether their use of personal data complies with the children’s code and its underlying principle of treating the best interests of the child as a primary consideration,” said Nance. “At this stage, however, there is some uncertainty around future compliance obligations for carrying out DPIAs and assessments required under the AADC.”

Nance said the main uncertainty arises as a result of UK government plans to update data protection laws to remove the requirement for organisations to undertake a DPIA.

“We may have more certainty on future compliance requirements shortly when the Department for Digital, Culture, Media and Sport (DCMS) publish their views on the responses it received to its consultation on reform,” Nance said.

Further uncertainty arises around how the assessment to be conducted under the ICO’s guidance will interact with the assessments that online service providers could find they have to carry out under the Online Safety Bill that has been proposed, she said.

The draft Online Safety Bill is separate to the AADC, but there is crossover between what is covered under the AADC and the Bill. For example, section 26 of the Online Safety Bill sets out proposed ‘safety duties protecting children’.

“Both the Online Safety Bill and the AADC require providers of in-scope services to consider whether their services are likely to be accessed by children,” said Higgins. “However, although the Joint Committee on the draft Online Safety Bill recommended in its report late last year that there be increased regulatory alignment between the provisions of the Online Safety Bill and the AADC, including the standard to be applied by regulated services to assess whether they are likely to be accessed by children, this suggestion has not yet been adopted.”

Other jurisdictions appear set to follow in the UK’s footsteps in terms of legislating for protection of children online. California, for example, in February 2022 published an Assembly Bill for the California age appropriate design code, modelled on the ICO’s AADC. In addition, the European Data Protection Board (EDPB) indicated in its latest work programme that it intends to publish guidance on children’s data sometime this year. The European Commission has also indicated its intention to publish a child’s rights package, including a European strategy for better internet for children.