Schools are back – and time to comply with the ICO’s Age Appropriate Design Code

From the 2 September 2021 the UK's Information Commissioner's Office ("ICO") expects organisations to be compliant with its Age Appropriate Design Code (“AADC”). The AADC came into force last year but organisations had a 12 month transition period to implement its requirements. This transition period ended on 2 September and we could see the ICO start to take enforcement action for non-compliance.

The AADC applies to information society services (“ISS”) (e.g. websites, games, apps, connected toys and IoT devices) that are likely to be accessed by children in the UK. A “child” is defined as anyone under the age of 18. The Code contains 15 principle-based standards for “age appropriate design” intended to safeguard children and their personal data online. They include, for example: the obligation to confirm user age with a level of certainty appropriate to the privacy risks, implementation of age appropriate privacy policies, and a prohibition on “nudge techniques” that encourage children to provide more personal data or turn off privacy protections.

Now that the transition period is over, organisations providing ISS likely to be accessed by children (a potentially broad remit) should ensure they have complied with and implemented the Code’s standards – and be able to demonstrate such compliance. The Code advocates a risk-based approach and ISS providers should prioritise services specifically targeted to children and those which pose the highest privacy risks.

The ICO has repeatedly emphasised the importance of complying with the AADC and recently indicated that it would be “proactive” in requiring social media platforms, video and music streaming sites and the gaming industry to tell the regulator how their services are designed in line with the Code. We should get a sense of how the ICO will enforce the AADC over the next few months. In the meantime, we suspect it’s not just the kids who will have that back-to-school feeling….