From September 2021, a new statutory code of practice known as the Age Appropriate Design Code (called ‘the Children’s Code’) took effect in the UK.
The Children’s Code will be relevant to anyone providing online education services as it will be taken into account by the Information Commissioner’s Office (‘ICO’) or the Courts when deciding whether an online service has complied with its data protection obligations under the UK General Data Protection Regulation (‘GDPR’).
While the Children’s Code does not in of itself constitute a new law, it does clarify standards and how to apply the GDPR when online service users are children.
Failure to follow the Children’s Code suggests non-compliance with the GDPR, breach of which may result in claims from service users and ICO regulatory action as well as reputational damage.
Background to the Children’s Code
The Children’s Code was introduced as a result of growing concerns about children’s safety online. It’s estimated that one in five UK internet users are children and the personal data gathered about them online can be extensive.
While there is an ever-growing pool of useful educational resources and entertainment, there are concerns that the online space has not been regulated towards protecting younger users. The Children’s Code seeks to help rectify this by enhancing children’s online privacy rights and to create a safer environment for children when on the web.
At its core, the Children’s Code requires online service providers to consider children’s best interests when designing and running services which are likely to be accessed by children. In doing so, the Children’s Code follows the UN Convention on the Rights of the Child’s belief that children should benefit from special safeguards and protections.
While provisions for protecting children under UK data protection law so far appear to have focussed on those under the age of 13, references to ‘children’ within the Children’s Code extend to any individual under the age of 18.
The Children’s Code’s Standards
The Children’s Code is made up of 15 standards that all must be met in order to ensure children’s privacy is protected, though some standards may not be relevant to a service offered by a particular provider. These ‘irrelevant’ standards would be deemed automatically complied without needing to make any changes or implement any additional safeguards.
The standards provide default settings which online service providers need to implement in order to minimise data collection and the use of children’s personal information. For example, standard 7 requires that settings be “high privacy” by default, unless there is a compelling reason for this not to be the case. As children are often less likely to fully comprehend the importance of the personal data they are providing, or how their personal data may be used, and are more likely to simply accept whatever privacy settings are in place, the onus is on the online service providers to tailor their default privacy settings to ensure that these are appropriate.
Practically, default settings should only allow for essential personal data to be collected and retained, personal data should not be automatically shared with others, and geolocation should be switched off. There should be no prompts or nudge techniques to persuade a child to turn off these privacy settings or to provide additional personal data.
Under standard 4, the Children’s Code requires that ‘age appropriate’ descriptions be provided when children choose to change a privacy setting, a decision which should always be instigated by the child, not the online service provider.
To whom does the Children Code apply?
The Children’s Code applies to “relevant information society services which are likely to be accessed by children.” Information society services (‘ISS’) are defined as any services “provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. These definitions are broad and in practice, subject to a few narrow exemptions, the Children’s Code will apply to any online service which can be used by children, including apps, games, social media platforms, online messaging platforms, content streaming services, news and educational services, and any other website offering goods and services.
The Children’s Code also applies to online services which do not directly profit from its users, but for example, are funded by online advertising or in-app purchases, as well as to not-for-profit online services if these services are typically provided on a commercial basis.
Importantly, the Children’s Code applies to online services which children are likely to use, not necessarily only to those aimed specifically at children. In practice, whether children are considered likely to use any given online service will depend on the nature and content of the online service, its appeal to children, its accessibility as well as safeguards to access to this online service .
The Children’s Code and online education services
Over recent years, we have seen a range of new educational tools and learning resources come to market. Their accessibility undoubtedly contributes to their popularity. Children growing up in this digital age increasingly use and rely on the internet for education and information. As a result, online education services which meet the criteria set out above will need to take appropriate steps to comply with the Children’s Code. This would include designing online services or reviewing their existing online services to ensure all 15 standards have been complied with, paying specific attention to their data and privacy policies as well as to their contracts with any processors or sub-processors, and implementing changes as necessary.
Online education services should also carry out or review a Data Protection Impact Assessment (‘DPIA’); the ICO provides a template DPIA tailored to online services likely to be used by children. The implication is that online education services must also understand their customer base.
It is also important for online education services to document compliance with the Children’s Code and to keep this under review.