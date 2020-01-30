The Information Commissioner’s Office (‘ICO’) issued, on 21 January 2020, its final Age Appropriate Design Code (‘the Code’) outlining the key standards that online service providers should meet to protect children’s privacy online. In particular, the Code covers services which process children’s data, including apps, connected toys, social media platforms and streaming services, and also requires that online service providers design their apps, games and website, in a way which ensures the protection of children’s data.

In addition, the Code constitutes a set of 15 flexible standards which provide built-in protection to allow children to explore, learn and play online by ensuring that the best interests of the child are the primary consideration when designing and developing online services. Furthermore, the ICO highlights that the Code is rooted in the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the Data Protection Act 2018, and that, after the public consultation, the final Code will be sent to Parliament for its approval.

How can companies ensure that the best interests of the child are met while pursuing commercial interests and what points of incompatibility and compatibility do you see?

Tim Hickman, Partner at White & Case LLP, told OneTrust DataGuidance, “To a large extent, it is possible for companies to design and develop services for children, and process their personal data, in a manner that furthers their own commercial interests while also ensuring that the best interests of the child are met. For example, a company might allow a child to create an account on its online platform in order for the child to gather together games, videos, or other content that may be of interest to the child. It is clearly in the company’s commercial interest to provide the service, but that activity is not incompatible with the best interests of the child. Clearly, in this scenario, the company would need to first obtain parental consent in accordance with Article 8(1) of the GDPR.”

In case of incompatibility between the commercial interests of the company and the interests of the child, the Code states that the best interests of the child must be the primary consideration. The Code provides the following examples of incompatibility:

adopting default settings that permit general or unlimited processing of personal data of children; and

sharing personal data of children with third parties if those third parties are likely to use the data in ways that are detrimental to the affected children.

Edward Machin, Associate at Ropes & Gray LLP highlighted that, “The challenges for many companies will be the wide scope of the Code and organisations, such as search engines, social media platforms and streaming services, which may not be focused primarily on under 18 year olds, will need to consider how to revise or develop their systems to ensure that they reflect the requirements of the Code. To take an example, these companies may need to cater to both children and adult users by creating a range of privacy notices that are presented depending on the user’s age.”

What practical steps should be taken during the 12-month transition period allowed by the Code?

Hickman continued, “The ICO has stated that it will allow a “maximum transition period of 12 months” but it is not entirely clear what this means in practice. On the one hand, the Code explains that companies that provide information society services to children have 12 months to ensure that their services conform to the Code. On the other hand, the content of the Code simply provides an explanation of the ICO’s interpretation of the applicable provisions of existing laws.” Therefore, as Hickman noted, “companies should not assume that unlawful processing of personal data of children that takes place during transition period will go unpunished, as it seems unlikely that the ICO would refrain from taking enforcement action in respect of breaches of the law, simply because the 12 month transition period has not yet ended.”

What obstacles might different age verification methods bring up?

Machin noted that age verification “is going to be one of the biggest hurdles for organisations that are subject to the Code.” In addition, Hickman explains “these mechanisms require companies to acquire additional personal data in order to satisfy their compliance obligations under the Code. However, the Code does not directly explain how to reconcile this approach with Article 11 of the GDPR, which states that companies are not obliged to acquire additional information in order to identify an individual solely for the purposes of GDPR compliance. Instead, the GDPR, simply acknowledges that this is a “developing area.”

The Code states that a method by which a company can establish age with an appropriate level of certainty is by conducting third-party service providers. This method reduces the amount of personal data the company needs to collect and may allow the same to take advantage of technological expertise and latest developments in the field.

According to the Code, if a company decides to conduct a third-party service provider when verifying the age of the child, it would be required to provide users with clear information about this service. Finally, Hickman noted, “The Code does not permit companies to outsource responsibility. If a company engages a third-party service provider to conduct age verification checks, the company must carry out due diligence to satisfy itself that the third party service provider is verifying ages with a sufficient level of certainty.”

MARINA IOANNOU Privacy Analyst

[email protected]

Comments provided by:

TIM HICKMAN Partner

White & Case LLP

White & Case LLP