ICO Children’s Code – what do businesses need to know and what should you be doing now?

The code translates the GDPR requirements into design standards for online products and services, helping businesses understand what is expected of them. Ultimately, the aim of the code is to ensure children’s personal data is protected online. Although the code does not do this, in recent presentations the ICO have separated the standards into the following three groupings:

• Core principles;
  

• Service design; and

• Data processing.

Adopting that approach, here is a useful visual aid we have created which sets out the interlinked and mutually supportive standards in the ICO’s three groupings:

From 2 September 2021, businesses will be expected to meet the 15 standards, otherwise there is a possibility of enforcement action, e.g. compulsory audits, processing bans and fines, let alone reputational damage it could do to a brand. While the ICO has said they will take a measured and proportionate approach, twelve months will have passed by the time the transitional period is up and during that time the ICO will expect to see progress.

What should you be doing now?

Whilst the ICO is not expecting every organisation to be 100% compliant by September 2021, you will be expected at least to have:

1. Worked out whether you are in scope

Step 1 is to determine whether your online products and services are in scope; i.e. are they relevant information society services which are likely to be accessed by children? If the answer is “yes”, then you need to be taking steps to ensure compliance. Even if the answer is “no” and you do not believe you are in scope, then you still need to document and evidence that decision. User testing and surveys, market research and academic literature will all be helpful to support your decision.

2. Undertaken a Data Protection Impact Assessment (DPIA)

If you are in scope, then you need to start your DPIA. There is a template DPIA set out at Annex D of the code. As part of that exercise, you will need to map children’s data and age ranges, as well as the associated user journey. When assessing risks and mitigations, keep an eye out for various resources the ICO has in the pipeline to assist with this, including its Children’s code harms framework (currently in beta) and further DPIA guidance with examples.

3. Put a road map in place

Having a road map will show you are taking the code seriously and are making progress to comply with the standards. Take a risk-based approach to your compliance, prioritising areas of higher risk. If (as is likely) all the changes contemplated cannot be made by 2 September 2021, set out in as much detail as you can how you will address any issues and the steps you have taken so far, as well as a proposed timeline to get to full compliance.

What is the key challenge facing businesses?

The key challenge is the delicate balancing act between putting the best interest of the child first and exploring commercial opportunity. It is worth remembering that the aim of the code is “to protect children within the digital world, not protect them from it". The ICO recognises that 1 in 5 internet users are children and that in a survey about the biggest data protection concerns children’s privacy ranked second, only beaten by cyber security. Commercial opportunity still exists – it is a question of putting the best interests of the child first and working from there. From some businesses this will be second nature; for others this is going to be a new way of designing, innovating and creating online products and services that children are likely to use.

Conclusion

It is fair to say businesses find themselves at different stages of complying with the code but all should have the date of 2 September 2021 firmly in mind. We are a little over 4 months out from the end of the transition period so it is essential to take some basic steps now. For those further along the journey, keep an eye on additional resources produced by the ICO in the coming months, and use this to fine tune your compliance plan.

It is worth noting that protecting children’s data and privacy reflects what the ICO refers to as “the global direction of travel” in this area. If you have an international remit you may wish to join us for our next event on 27 May (at 3.00pm via WebEx) where we will be looking at children’s data from a global perspective, with a particular focus on the US and Ireland. We are delighted to be joined by Gary Kibel of US firm Davis+Gilbert and Victor Timon from Lewis Silkin Ireland who will share their experiences with protecting children’s data in different jurisdictions. To register please click here.

And of course, if you do have any questions or we can be of any assistance please do not hesitate to contact Alexander Milner-Smith, Ali Vaziri or Tamsin Hoque.