The ICO says the code is “the first of its kind” in the world, and will be complemented by other initiatives to address online harms.
Background: In the Data Protection Act of 2018, the Government included provisions requiring the ICO to produce an age-appropriate design code of practice to give guidance to organisations about the privacy standards they should adopt when offering online services that children are likely to access, and which will process their personal data. This is part of an effort to create “world-leading standards” that provide proper safeguards for children when they are online. The ICO then published a first version of the code in April 2019, which was informed by the views of academics, civil society and industry.
The code is now ready: The ICO has now announced the final version of the code, which will require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app or visit a website. Companies should have the best interests of the child as a ‘primary consideration’ when designing online services. Privacy settings should be set to the highest level by default and ‘nudge techniques’ should not be used to encourage children to weaken their settings. Location settings should also be switched off by default. Data collection and sharing should be minimised and profiling that can allow children to be served up targeted content should be switched off by default too. In presenting the code, the Information Commissioner, Elizabeth Denham noted the code is the first of its kind, but it reflects the global direction of travel with similar reform being considered in the US, Europe and globally by the OECD.
Next steps: The Secretary of State will now need to lay the code before Parliament for its approval. The UK Government will also notify the European Commission of the code, and observe the resulting 3-month standstill period. Once the code has been laid it will remain before Parliament for 40 sitting days. If there are no objections, it will come into force 21 days after that. The code then provides a transition period of 12 months, to give online services time to conform. The ICO will then aim to have “significant engagement” with organisations to help them understand the code and prepare for its implementation.