The UK Information Commissioner’s Office (“ICO”) formally issued its code for online services whose user audience is likely to be children under 18.
The code, which received parliamentary approval, sets out 15 standards of age-appropriate design. It reflects a risk-based approach intended to provide default settings that ensure that children have access to online services whilst also minimizing data collection and use, by default. These principles include, for example:
- A duty to conduct a data protection impact assessment;
- Designing the service with ‘high privacy’ settings by default, unless a compelling reason for different default settings can be demonstrated. This also applies to data processing for profiling purposes; and
- Collecting and retaining only the minimal amount of personal data necessary for the service and allowing the children to choose which elements they wish to activate.
The principles apply to any service that is likely to be used by children under 18 in the UK, rather than just for services aimed at children. It covers entities established within or outside the EU.
This code will come into force on September 2, 2020, with a 12 months transition period. The code itself is not a legally binding instrument; however, the ICO will take the code into account when considering whether an online service has complied with its data protection obligations under the GDPR.
CLICK HERE to read the ICO Age Appropriate Design Code for Online Services.