After coming into effect last September, The Children’s Code gave businesses a 12-month transition period to make the necessary arrangements and ensure they are compliant by 2nd September 2021. Below, we have outlined how companies can prepare as the cut-off date approaches.
A statutory code of practice under the Data Protection Act (DPA) 2018 known as the Age Appropriate Design Code, informally referred to as the Children’s Code, recognises that children should be given special treatment when it comes to their personal data.
The purpose of the code is to protect children when using apps, games, and websites and applies to all organisations based in the UK, as well as any organisations based outside the country that monitor children’s data in the UK.
It sets out 15 standards that organisations and businesses must meet to ensure children’s data is protected online. The code applies to all the major online services used by children in the UK – such as apps, search engines, social media platforms, marketplaces, games, and websites selling goods and services.
What should organisations be doing to protect children’s data in line with the Children’s Code?
First and foremost, it must be made clear when personal data drives the service that a child is exposed to, and businesses must recognise and act to comply with their responsibilities to protect the child’s rights and freedoms.
There are a number of practical points that organisations will need to cover, such as:
- Providing privacy settings that are high by default;
- Switching off geo-location services that can reveal a child’s location to the world; and,
- Not using nudge techniques and notifications to encourage children to give up more personal data.
Children, and their parents or carer, can choose to change the default settings for the services. However, the code ensures that they initially get the right information, guidance, and advice before they do so – as well as proper protection with regard to how the child’s data is used afterward.
The Information Commissioner’s Office (ICO) states that:
“The standards are not intended as technical standards, but as a set of technology-neutral design principles and practical privacy features. The focus of the code is to set a benchmark for the appropriate protection of children’s personal data.”
The code is rooted within the existing data protection laws that are regulated and enforced by the ICO. Relevant services, for example, organisations that are likely to be accessed by children and process their personal data, are most likely to breach the data protection laws if they don’t conform to the code. It’s also worth bearing in mind that different services will require different technical solutions, there is no ‘one size fits all’ approach.
What happens to those who don’t comply with the Children’s Code by 2nd September 2021?
The ICO has a number of powers at its disposal should an organisation refuse to comply. These powers include a compulsory audit, orders to stop processing, and fines of up to four percent of the company’s global turnover. Therefore, compliance is key to ensuring a smooth end to the year-long transition.
How can Nelsons help?
At Nelsons, we work with businesses to put in place robust data protection systems and policies to comply with privacy laws.
If you would like any advice concerning the topics discussed in this article, please contact a member of our Commerce and Technology team on 0800 024 1976 or via our online enquiry form.