Four things you need to know about the Age Appropriate Design Code
The statement says:
The Age Appropriate Design Code has completed the Parliamentary process and is being issued by the ICO today, 12 August 2020. The Code will come into force in 21 days on 2 September. The code then provides a transition period of 12 months, to give online services time to conform.
Here are the four key things you need to know about the Code.
1. Do I have to comply with the Code?
You need to comply with the law.
The laws to which the Code has the most relevance are predominantly the GDPR and the ePrivacy rules.
Complying with the Code may be a good way of showing that you comply with the law but, if you comply with the law, that is what matters legally.
Failure to comply with the Code is not itself a breach. s127(1) Data Protection Act 2018 says:
A failure by a person to act in accordance with a provision of a code issued under section 125(4) [which includes the Age Appropriate Design Code] does not of itself make that person liable to legal proceedings in a court or tribunal.
Both courts and the ICO will take the code into account when assessing potential breaches of the GDPR or the ePrivacy rules.
The ICO says:
We will take this code into account, along with other relevant legislation, when considering whether you have complied with the GDPR or PECR.
In other words, the Code is a good indication of the stance the ICO will take in the event of a investigation or enforcement action, and courts will consider the Code too, so if you are doing something which is not consistent with the Code, it would be sensible to document how what you are doing complies with the law anyway.
2. Does the Code apply to me? I don't run services for children.
The Code applies to “information society services likely to be accessed by children” in the UK.
"Information society services"
The Code does not apply to all services, but rather only those which are, legally, "information society services".
The definition of these has not aged well, but, as a rule of thumb, if you are monetising your service (directly (charging a user) or indirectly (e.g. advertising)), and the app or site itself is the thing which people want to use, it's probably an "information society service".
There are some exceptions to this. In particular, if your site just tells people about your services, but you are not monetising that site and they cannot buy your services through the site (e.g. they have to email you or call you) then your site is probably not an "information society service".
"likely to be accessed by children"
The ICO's view is that it applies to services (including many, but not all, apps and websites) which:
- are designed for and aimed specifically at under-18s; and
- are "likely to be accessed by" under-18s, which the ICO says means that access by children must be "more probable than not".
Whether a service is "likely to be accessed" by children will require a case-by-case assessment:
Is your website selling fixed line Internet access services likely to be accessed by children? I'd have thought not in most cases.
Is your voice / video communications service likely to be accessed by children? It would depend but, if you offer domestic services (as opposed to just business services), it might be harder to justify a position that you are unlikely to have child users. (Note that a POTS2 telephony is automatically out of scope, but VoIP3 is not automatically out of scope. So much for law being "technology neutral".)
Your gif-creation and sharing app? It might not be aimed at children, but there's a strong chance, I'd have thought, that you had children using it.
Is your "here's how to circumvent parental controls" VPN service, with a free tier, likely to be accessed by children? Probably tricky to say "no".
Your site with porn, or sexy stories, funded by advertising? An ad-funded service is in scope, even if you are not charging the end user directly. Again, think carefully as to whether your service is attractive to under-18s.
Companies not established in the UK
The ICO's view is that, even if you are not established in the UK, you still need to comply with the Code if your service is used by children in the UK.
It will be interesting to see how, and indeed if, the ICO attempts to enforce against companies not established in the UK.
Remember that the GDPR does not apply merely because you have users in the UK/EU. If you are not established in the EU, and you are not targeting your services to people in the EU, and you are not monitoring the behaviour of people in the EU, you are likely to have a strong argument that the GDPR does not apply to whatever processing you are doing, even if people in the UK/EU use your services.
3. What do I actually need to do?
Comply with the law.
What that means in practice will depend on the services you are offering.
Hopefully, you are already thinking about basic requirements of data protection and ePrivacy, including:
- complying with the GDPR's main principles, such as not using more data than you need for the things you have said you are doing, not keeping data longer than you need it for those purposes, and making sure it is accurate
- getting consent to the right standard (and from the right person) where consent is the basis of processing on which you are relying (and it often is not the best basis to use)
- being transparent about what you are doing, and giving people the information required by the GDPR (which might be more than you expect)
- giving effect to people's rights, including the right of access, and the right not to be subject to automated decision-making which could have a serious effect on them
- looking after people's data appropriately, in terms of security
- doing data protection impact assessments, to identify and mitigate risks
- thinking about data protection from the beginning, and making your default settings protective of personal data
- appointing a data protection officer if you need one
If you're not sure if you are meeting your legal obligations, feel free to get in touch.
4. Is age verification mandatory?
You may not be able to show you have met the GDPR's requirements (in terms of assessment of risk, or appropriate controls, for example) if you have not taken into account the ages of those who use your services. However, you may be able to do this without needing to verify the age of each user — for example, by taking into account the nature and context of the service you provide, and its attractiveness to children.
If you consider you do need to determine the age of users, the ICO has a non-exhaustive list of mechanisms you might use.
These expressly permit "self-declaration" of age in some situations.
It also suggests "artificial intelligence", which, in my view, is a bit worrying.