Online Safety ' The ICO's Children's Code

• Published date: 08 September 2021
• Subject Matter: Media, Telecoms, IT, Entertainment, Privacy, Data Protection, Privacy Protection, Social Media
• Law Firm: BCL Solicitors LLP
• Author: Mr Julian Hayes

Neither blessed with a catchy title nor immediately in force, the Age Appropriate Design Code grabbed few headlines when it was issued by the Information Commissioner (ICO) in 2020. Now re-badged as the Children's Code and in force from 2 September 2021, it is being feted as an early blow in the UK government's wider campaign against online harms and in particular the risks to the privacy of minors. Broadly drawn, both in terms of the online service providers affected and its geographic reach, the Code provides guidance on safeguards for the online treatment of children's personal data, with compliance underpinned by the potentially severe enforcement powers of the UK GDPR. Sensing the way the wind was blowing, the tech titans had already modified their services, spurring calls for similar measures in other countries. Misgivings over the ambit and practical impact of the Code remain, however, particularly in relation to the thorny issue of age-verification.

Long reach of the Code

Built around 15 high-level standards, the Code specifies the requirements which providers of 'information society services' (ISS) must meet if their products are likely - that is, are more likely than not - to be accessed by under 18 year-olds in the UK. The requisite standards, for the most part relatively uncontroversial, include prioritising the best interests of the child when designing and developing online services, establishing the age of individual users with a level of certainty appropriate to the risk, and upholding published terms, policies and community standards.

ISS providers include the majority of online services used by children, from social media platforms, search engines and online marketplaces through to content streaming services, messaging apps and online games. No mere parochial affair, the Code's geographical sweep takes in not only UK entities but also those elsewhere which offer their services to UK users or monitor their behaviour.

Legal effect & sanctions

Although a product of the Data Protection Act 2018 (DPA), and notwithstanding that courts must have regard to its provisions, the Code does not itself have force of law. Instead, it spells out the measures which ISS providers must meet if they are to fulfil their obligations under key aspects of both the UK GDPR and the less well-known Privacy and Electronic Communications Regulations (PECR) which govern online marketing and brought us cookie banners.

The ICO has issued dire warnings that failure to...