The UK Information Commissioner’s Office releases a code of practice for online services involving children
February 2, 2025 |
The most active form of regulation in privacy across the world now relates to protecting children and limiting the data taken from them and used by businesses. The UK Parliament passed the Online Safety Act 2023. The Act imposes new duties on social media companies and search services, making them more responsible for their users’ safety on their platforms. Those new duties include implementing systems and processes to reduce risks that their services are used for illegal activity, and to take down illegal content when it does appear. Regarding children, platforms are required to prevent children from accessing harmful and age-inappropriate content and provide parents and children with clear and accessible ways to report problems online when they do arise. The main regulator Ofcom has set out an age check guidance regarding accessing online pornography. The Information Commissioner has had a code of practice for some time regarding the developing an age appropriate design for online platforms. The core of the code are 15 standards.
The 15 standards are:
1. Best interests of the child
2. Data protection impact assessments
3. Age appropriate application
4. Transparency
5. Detrimental use of data
6. Policies and community standards
7. Default settings
8. Data minimisation
9. Data sharing
10. Geolocation
11. Parental controls
12. Profiling
13. Nudge techniques
14. Connected toys and devices
15. Online tools
The Executive Summary of the ICO guidance provides:
Children are being ‘datafied’ with companies and organisations recording many thousands of data points about them as they grow up. These can range from details about their mood and their friendships to what time they woke up and when they went to bed.
Conforming to this statutory code of practice will ensure that as an organisation providing online services likely to be accessed by children in the UK, you take into account the best interests of the child. It will help you to develop services that recognise and cater for the fact that children warrant special protection in how their personal data is used, whilst also offering plenty of opportunity to explore and develop online.
You have 12 months to implement the necessary changes from the date that the code takes effect following the Parliamentary approval process. The ICO approach to enforcement as set out in our Regulatory Action Policy will apply. That policy and this code both apply a proportionate and risk-based approach.
ICO guidance
The code took effect on 2 September 2020, so you must conform with the code from 2 September 2021. Further information on this can be found in the transitional arrangements section of the code.
The United Nations Convention on the Rights of the Child (UNCRC) recognises that children need special safeguards and care in all aspects of their life. There is agreement at international level and within the UK that much more needs to be done to create a safer online space for them to learn, explore and play.
In the UK, Parliament and government have acted to ensure that our domestic data protection laws truly transform the way we safeguard our children when they access online services by requiring the Commissioner to produce this statutory code of practice. This code seeks to protect children within the digital world, not protect them from it.
The code sets out 15 standards of age appropriate design reflecting a risk-based approach. The focus is on providing default settings which ensures that children have the best possible access to online services whilst minimising data collection and use, by default.
It also ensures that children who choose to change their default settings get the right information, guidance and advice before they do so, and proper protection in how their data is used afterwards.
You should follow the standards as part of your approach to complying with data protection law. If you can show us that you conform to these standards then you will conform to the code. The standards are cumulative and interlinked and you must implement them all, to the extent they are relevant to your service, in order to demonstrate your conformity.
The detail below the standards provides further explanation to help you understand and implement them in practice. It is designed to help you if you aren’t sure what to do, but it is not prescriptive. This should give you enough flexibility to develop services which conform to the standards in your own way, taking a proportionate and risk-based approach. It will help you to design services that comply with the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR).
I have studied the ICO’s guidance and the Ofcom’s publications closely. Together with the COPPA guidelines in the United State of America they are likely to inform the development of the Children’s Privacy Code under the Privacy Act which must be completed in 2 years. The ICO and Ofcom guidances are useful in drafting when the statutory tort for interference with privacy becomes law in June 2025. The tort is stand alone however Australian jurisprudence may be influenced by jurisdictions which are more advanced in this area. Australian law of privacy is virtually a blank page. What jurisprudence there is relates to claims in equity. Most other cases relate to other provisions of the Privacy Act.
