Data protection and the age-appropriate design code
Written by Adindu NwichiData Protection Officer
What is the Age-Appropriate Design Code?
A 2019 report by Ofcom shows that 50% of ten-year olds own mobile phones. While viewing of video-on-demand (with YouTube as firm favourite), has doubled in the last five years among children. Platforms like TikTok are rapidly growing in popularity. Sadly, more and more children are being exposed to hateful, violent and disturbing contents on these platforms.
The Age-Appropriate Design Code is a code of practice drafted by the ICO (the regulatory authority for data protection in the UK) as a solution to this modern problem. According to the Data Protection Act 2018, age-appropriate design means, “the design of services so they are appropriate for use by, and meet the development needs of children”. If the Data Protection Act 2018 sounds familiar to you, it’s because it’s also the legislation that implemented GDPR in the UK.
The Code was designed to ensure that organisations who provide services likely to be accessed by children take into consideration children’s best interests. The remit is as wide as possible, and includes developing apps, programs, social media platforms, streaming services, search engines, online games, news and educational websites.
What does my business need to do?
The Code is not a new law. However, it sets out 15 standards of age-appropriate design which complement data protection laws in the UK. Embedding these standards in the design process would help organisations demonstrate compliance with the UK GDPR, PECR and DPA 2018. Don’t forget that the GDPR mandates extra protection measures for child personal data.
When your organisation develops a new product or a service, it is important to bear in mind the age ranges and developmental stages provided by the Code. If, for instance, a software being developed is likely to be used by children between the ages of 6 – 9 years, a data protection impact assessment (DPIA) of the potential risks to the individuals should be conducted. Although DPIAs for any new product and service is strongly recommended.
In-keeping with Article 25 of the GDPR, appropriate privacy controls should be used in designing the default privacy settings. That way, if a child does not make any changes to the settings, personal data collected cannot be accessed by other users of the service or other organisations. Furthermore, the default privacy settings should be such that profiling, and the geolocation of the child-user are switched off, unless there is a very, very compelling reason not to.
How is the Age-Appropriate Design Code enforced?
Though the code officially came into force in September of 2020, organisations were given a 12-month transition period to prepare. This means that from 2 September 2021, organisations whom the code applies to are expected to conform to the standards set by the code. The Information Commissioner’s Office (ICO) has the responsibility of enforcing data protection legislation. Children’s data is given special attention. In the event of an abuse of their data, the ICO is under a legal duty to take the provisions of the code into account when enforcing applicable laws. Some of the disciplinary tools available to the ICO include enforcement notices and penalty notices. The penalty notices can go as high as £17.5 million or 4% annual worldwide turnover of an organisation.
Get a helping hand with your data protection
Bulletproof’s friendly, experienced consultants are on-hand to help your organisation with all data protection matters. From specific challenges to general privacy check-ups, get in touch to see how we can help.Learn more
Our experts are the ones to trust when it comes to your cyber security
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.