Alston & Bird Privacy Blog

UK ICO publishes the final version of its Age Appropriate Design Code

By and

On January 21, 2020, the UK ICO published the final version of its Age Appropriate Design Code (the “Design Code”), which sets out 15 standards that online services should meet to protect children’s privacy. The Design Code is not only applicable to online services squarely aimed at children, but also covers online services likely to be accessed by children.

Amongst the 15 standards covered, the Design Code contains sections on:

  • What companies need to consider in order to protect the best interests of children in the design of online services.
  • Undertaking Data Protection Impact Assessments to assess and mitigate risks to the rights and freedoms of children who are likely to access the service.
  • Age appropriate application’, which means that different needs of children at different stages of development should be taken into account when designing the service and applying the Design Code. This section also provides guidance on how users’ ages can be established with an appropriate level of certainty, while taking into account the principle of data minimization.
  • Profiling, including the use of privacy settings (e.g., in the context of behavioral advertising), compliance with cookie consent rules, and the use of appropriate measures to safeguard children (in particular from inappropriate content).

The Design Code also includes an annex setting out various age and developmental brackets together with key considerations aimed at helping providers of online services assess what is appropriate for each bracket.

The Design Code will primarily be of interest to companies regulated by the UK ICO, which will be obliged to take the Design Code into account when considering whether an online service complies with general data protection or ePrivacy rules. However, the guidance is also useful to organizations outside of the UK, given the emphasis placed on protecting children’s interests across various sections of the GDPR and in regulatory guidance at an EU level.

The Design Code can be accessed from the following link. It will come into force approximately two months after being laid before the UK parliament, and will provide for a transition period of 12 months, to give online services time to conform. At the time of writing, the UK ICO anticipates that the Design Code will come into full force by autumn 2021.

About Paul Greaves

Paul Greaves is an associate in the Brussels office and a member of the Privacy & Data Security Team. Paul’s privacy, information technology, and data protection practice includes a focus on compliance with the General Data Protection Regulation, ePrivacy rules, and cross-border data transfers.

[Read Bio]

About Wim Nauwelaerts

Wim Nauwelaerts is a partner in the Brussels office, leading Alston & Bird’s European Privacy & Data Security Team. Wim has over 20 years of experience working with global companies on their data protection, privacy, and cybersecurity needs, including General Data Protection Regulation (GDPR) readiness, data transfer, data security and breach requirements, and compliance training.

[Read Bio]