Internet Privacy for Children: The UK’s Age Appropriate Design Code

By David Rosado

The internet has dramatically shaped the way our world functions. There are around 4.66 billion active internet users in the world.[1] All together, these billions of users generate massive amounts of data and information daily.[2] While the internet has brought about convenience in that you can pull up your favorite tv show from Netflix straight from your phone or handle any business you may have with your bank through their mobile app, the internet has drummed up severe threats.[3] Spyware, viruses, and ransomware, among several other forms of internet attacks, threaten everyone equally on the internet.[4] However, children are a particularly susceptible group of internet users and they make up about one billion of the 4.66 billion people online.[5] Notably, children’s online privacy has been a focus of numerous countries around the world.[6]  Data privacy is an important issue that has been a priority for the European Union, which ultimately led to the groundbreaking General Data Protection Regulation (“GDPR”). This post will look at the GDPR, the United Kingdom’s (“UK”) implementation of the GDPR through its Data Protection Act of 2018 (“Data Protection Act”), and examine the UK’s Age Appropriate Design Code (“Children’s Code” or “Code”), a new statutory code under the Data Protection Act aimed to protect children’s online privacy.

In 2009, the European Union (“EU”) held a conference that focused on the questions of “[h]ow should personal data be protected in a globalised [sic] world with increased mobility and in the wake of modern communication and information technologies and new policies?” and “[w]hich data is accessed and exchanged by public authorities and private companies?”[7] What resulted was the General Data Protection Regulation (GDPR), which would be proposed in 2012, passed in 2016, and ultimately come into force in 2018.[8] This law is broad in its reach as anyone who processes the personal data of EU citizens or residents, or even offers goods or services to these people, must comply with the GDPR.[9] Further, anyone who monitors the online behavior of EU citizens or residents must comply with the GDPR as well.[10] Under the GDPR, “personal data” is defined as:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person[.][11]

In order to facilitate the implementation of the GDPR, the UK passed the Data Protection Act of 2018 to codify the GDPR in the country.[12] Even though the UK would ultimately leave the EU, the data protection regime that has been established to mirror the GDPR still continues to be enforced.[13] During the debate of this piece of legislation in Parliament, concern grew over whether there are adequate protections in place for children. Baroness Tania Kidron expressed this concern by stating that “[w]hile the GDPR acknowledges that children enjoy enhanced rights online, it says little about what this means in practice, and the majority of the provisions for children sit in the recitals, which . . . are not binding.”[14]

Under Section 123 of the Data Protection Act, the Information Commissioner, head of the Information Commissioner’s Office, an independent body created to uphold information rights within the UK[15], is required to create a code of practice that provides guidance to information services that are likely to be accessed by children.[16] This led to the promulgation of the Children’s Code on August 12, 2020 and it came into force on September 20, 2020.[17] The Code gave those who would need to be in compliance twelve months to do so.[18] At the heart of Section 123 is compliance with the UK’s obligations under the United Nations Convention on the Rights of the Child.[19]

The Code applies to any online service that is more probable than not to be accessed by children, including: apps, programs, search engines, streaming services, online games, and even online services that connect to real toys.[20]  The only services that do not need to comply with the Code are online public services that are not commercial, websites simply displaying information without any further interaction from the user, online telephone services, general broadcasting services (i.e. tv or radio), or online counseling or specific health services (i.e. telehealth).[21]

The Code lays out fifteen specific standards. Online services must: (1) ensure the best interests of the child is a primary concern; (2) use data protection impact assessments to assess and mitigate risks to children’s rights; (3) create an age appropriate application for child users; (4) have transparent and concise privacy policies on the website; (5) not use a child’s personal data to their detriment; (6) uphold their own self-imposed policies and community standards; (7)  have settings set to “high privacy” by default; (8) only collect and retain the data that is necessary for the service; (9) not disclose a child’s data unless there is a demonstrable compelling interest; (10) have geolocation off by default; (11) give the child age appropriate information about parental controls; (12) have options which use profiling turned off by default and profiling is only allowed if there are measures to prevent a child from harmful effects and content; (13) not use nudge techniques to encourage a child to provide unnecessary personal data or to turn off privacy protection options; (14) ensure connected toys or devices comply with the Code; and (15) provide accessible tools to help a child exercise their rights and report concerns.[22]

An important aspect of the Children’s Code is that the burden is on businesses to ensure their service complies with the Code.[23] The ICO has estimated that it would cost around £60 million (or around $83 million) for a business to come into compliance.[24] With the ICO’s transitional period over on September 2, 2021, action can now be taken against those companies not in compliance.[25] Those out of compliance can face up to a £17.7 million fine, or 4 percent of annual profits, whichever is greater.[26] Alphabet, Inc., which owns Google, has already updated its global privacy agreements and user interfaces as well has ByteDance Ltd., which owns the popular app TikTok.[27] While the aim of the Children’s Code was to benefit the 14.2 million UK children who access online services[28], it may play a role in shaping the online experience for children around the world. The Children’s Code is already influencing legislation in places such as the United States, where bills have been submitted in Congress that include elements of the Children’s Code.[29] As Information Commissioner Elizabeth Denham states: “[f]or all the benefits the digital economy can offer children, we are not currently creating a safe space for them to learn, explore and play. This statutory code of practice looks to change that.”[30]

[1] Johnson, Joseph, Statistica, Worldwide digital population as of January 2021, Statistica (2021), https://www.statista.com/statistics/617136/digital-population-worldwide/ (last visited September 5, 2021).

[2] See e.g., Domo, Data Never Sleeps 8.0 How much data is generated every minute?, Domo (2020), https://www.domo.com/learn/data-never-sleeps-8 (last visited September 5, 2021).

[3] Cybriant, Comprehensive List of All Types of Internet Threats, Cybriant, https://cybriant.com/comprehensive-list-of-all-types-of-internet-threats/ (last visited September 4, 2021).

[4] Id.

[5] Livingstone, S., Byrne, J. & Carr, J., UNICEF, One in Three: Internet Governance and Children’s Rights, United Nations International Children's Emergency Fund (2016), https://www.unicef-irc.org/publications/795-one-in-three-internet-governance-and-childrens-rights.html (last visited September 5, 2021)

[6] See Freedman, Linn F., The National Law Review, Privacy Tip #298 – Help AGs Try to Protect Children’s Data, The National Law Review (2021),  https://www.natlawreview.com/article/privacy-tip-298-help-ags-try-to-protect-children-s-data (last visited September 5, 2021) (Former United States Attorney General urging parents of children under the age of 13 to monitor the collection of their children’s data); IAPP, South Korea amends child data protection laws, International Association of Privacy Professionals (2019) https://iapp.org/news/a/south-korea-amends-child-data-protection-laws/ (last visited September 5, 2021) (South Korea amended its child data protection laws to require explicit consent from the parents or legal guardians of children under the age of 14 and organizations collecting such data must show proof of this explicit consent).

[7] European Commission, Commission organises conference to look at new challenges for the protection of personal data, European Commission (May 19, 2009), https://ec.europa.eu/commission/presscorner/detail/en/IP_09_812 (last visited September 5, 2021).

[8] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679. 

[9] Id. at art. 3(2)(a).

[10] Id. at art. 3(2)(b).

[11] Id. at art. 4(1).

[12] Data Protection Act 2018 (c.12), https://www.legislation.gov.uk/ukpga/2018/12/enacted/data.pdf

[13] ICO, Services covered by this code, Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/services-covered-by-this-code/ (last visited September 5, 2021).

[14] 785 Parl Deb HC (6th ser.) (2017) col. 1580, https://hansard.parliament.uk/Lords/2017-11-06/debates/107E5465-94B7-4604-981C-1BC49C43FF84/DataProtectionBill (last visited September 5, 2021).

[15] ICO, Who we are, Information Commissioner’s Office https://ico.org.uk/about-the-ico/who-we-are/ (last visited September 5, 2021).

[16] supra note 12 at § 123(1).

[17] ICO, Transitional Arrangements, Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/transitional-arrangements/ (last visited September 5, 2021).

[18] Id.

[19] supra note 12 at § (4)(b); Denham, Elizabeth, Information Commissioner’s forward, Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/ (last visited September 5, 2021) (“[The Children’s Code] is rooted in the United Nations Convention on the Rights of the Child (UNCRC) that recognises [sic] the special safeguards children need in all aspects of their life. Data protection law at the European level reflects this and provides its own additional safeguards for children.”

[20] ICO, Services covered by this code, Information Commissioner’s Office https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/services-covered-by-this-code/ (last visited September 5, 2021).

[21] Id.

[22] ICO, Code standards, Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/code-standards/ (last visited September 5, 2021).

[23] ICO, Age appropriate design: a code of practice for online services – Impact assessment, 4 Information Commissioner’s Office (2020) http://data.parliament.uk/DepositedPapers/Files/DEP2020-0437/AADC_Impact_Assessment_DCMS.pdf

[24] Id. at 6

[25] ICO, Enforcement of this code, Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/enforcement-of-this-code/#enforcement4 (last visited September 5, 2021).  

[26] Id.

[27] Deighton, Katie, U.K. Asks Companies to Tweak Internet Privacy Language So Kids Can Understand, The Wall Street Journal (September 3, 2021) https://www.wsj.com/articles/u-k-asks-companies-to-tweak-internet-privacy-language-so-kids-can-understand-11630697195 (last visited September 5, 2021).

[28] supra note 23 at 4.

[29] supra note 27.

[30] supra note 19.