Data protection and the age-appropriate design code

Adindu Nwichi Headshot
Adindu Nwichi
Data Protection Consultant
20th August 2021

What is the Age-Appropriate Design Code?

A 2019 report by Ofcom shows that 50% of ten-year olds own mobile phones. While viewing of video-on-demand (with YouTube as firm favourite), has doubled in the last five years among children. Platforms like TikTok are rapidly growing in popularity. Sadly, more and more children are being exposed to hateful, violent and disturbing contents on these platforms.

The Age-Appropriate Design Code is a code of practice drafted by the ICO (the regulatory authority for data protection in the UK) as a solution to this modern problem. According to the Data Protection Act 2018, age-appropriate design means, “the design of services so they are appropriate for use by, and meet the development needs of children”. If the Data Protection Act 2018 sounds familiar to you, it’s because it’s also the legislation that implemented GDPR in the UK.

The Code was designed to ensure that organisations who provide services likely to be accessed by children take into consideration children’s best interests. The remit is as wide as possible, and includes developing apps, programs, social media platforms, streaming services, search engines, online games, news and educational websites.

Clipboard with checklist icon

Want to find out more about the GDPR?

Bulletproof has helpful free resources for organisations looking to find out more about the GDPR. Why not download our educational white paper, watch our insightful webinar featuring our Head of Compliance, or view our interesting infographics.

What does my business need to do?

The Code is not a new law. However, it sets out 15 standards of age-appropriate design which complement data protection laws in the UK. Embedding these standards in the design process would help organisations demonstrate compliance with the UK GDPR, PECR and DPA 2018. Don’t forget that the GDPR mandates extra protection measures for child personal data.

When your organisation develops a new product or a service, it is important to bear in mind the age ranges and developmental stages provided by the Code. If, for instance, a software being developed is likely to be used by children between the ages of 6 – 9 years, a data protection impact assessment (DPIA) of the potential risks to the individuals should be conducted. Although DPIAs for any new product and service is strongly recommended.

In-keeping with Article 25 of the GDPR, appropriate privacy controls should be used in designing the default privacy settings. That way, if a child does not make any changes to the settings, personal data collected cannot be accessed by other users of the service or other organisations. Furthermore, the default privacy settings should be such that profiling, and the geolocation of the child-user are switched off, unless there is a very, very compelling reason not to.

Young person watching an iPad

How is the Age-Appropriate Design Code enforced?

Though the code officially came into force in September of 2020, organisations were given a 12-month transition period to prepare. This means that from 2 September 2021, organisations whom the code applies to are expected to conform to the standards set by the code. The Information Commissioner’s Office (ICO) has the responsibility of enforcing data protection legislation. Children’s data is given special attention. In the event of an abuse of their data, the ICO is under a legal duty to take the provisions of the code into account when enforcing applicable laws. Some of the disciplinary tools available to the ICO include enforcement notices and penalty notices. The penalty notices can go as high as £17.5 million or 4% annual worldwide turnover of an organisation.

Adindu Nwichi Headshot

Meet the author

Adindu Nwichi Data Protection Consultant

As an experienced DPO and Data Protection Consultant, Adindu has a wealth of insight into helping businesses overcome their compliance challenges through expert advice and guidance.

Get a helping hand with your data protection

Bulletproof’s friendly, experienced consultants are on-hand to help your organisation with all data protection matters. From specific challenges to general privacy check-ups, get in touch to see how we can help.

Learn more

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.