A number of our clients are currently taking steps to comply with the ICO’s Age Appropriate Design Code (“AADC”), which applies to digital services likely to be accessed by children. The AADC’s transitional period ends on 2 September 2021, and organisations therefore have six months to get ready.
As they do so, it is well worth also bearing in mind another piece of draft regulatory guidance on the use of children’s data, the Irish DPC’s Fundamentals for a Child Orientated Approach to Data Processing (“Fundamentals”).
Both documents are underpinned by the same set of GDPR principles, and therefore set out a broadly similar set of requirements for the processing of children’s data. However, there are some differences in approach, and I pick out a few (but by no means all) of these below:
1. The scope of the AADC is limited to “information society services” (which will cover most online services), whereas the Fundamentals applies more widely to both online and offline services.
2. A key issue for clients preparing for the AADC is the question of whether a service is “likely to be accessed” by children, even where it is not directed to them. The Fundamentals applies a similar standard but provides a helpful set of additional non-exhaustive factors to take into account in determining whether this standard is met, including: the subject matter and visual content of the site, whether there are any child related activities or incentives, the language or other characteristics of the website or service and the age of users of similar services.
3. The AADC requires that organisations take a risk based approach to age verification. The Fundamentals takes a similar approach but explicitly states that a higher burden applies to internet and technology companies in terms of taking innovative approaches to effectively verifying age, both for assessing whether users are children under 18, and for determining if parental consent is needed for aspects of the service (in Ireland the digital age of consent is 16, whereas it is 13 in the UK).
4. Unlike the AADC, the Fundamentals also make clear that where services are likely to be accessed by children, organisations should not try to avoid their responsibilities by providing a two tier service where an inferior level of features are offered to children. This could pose challenges to providers of mixed audience services who may be considering a bifurcated experience.
5. Whilst both frameworks require default settings for children to be set to the most privacy protective, there is a slight difference in approach. Where a child user switches off a default privacy setting, the Fundamentals require that at the end of the session the setting reverts to the default, whereas the AADC allows organisations the option of asking child users if they wish to change the settings permanently or just for a session.
The Fundamentals aren’t as far along as the AADC in terms of adoption, and are currently open for consultation until 31 March 2021, but will eventually be an additional important framework for consideration.
They introduce child-specific data protection interpretative principles and recommended measures that will enhance the level of protection afforded to children against the data processing risks posed to them by their use of/ access to services in both an online and offline world.