The ICO issued the code on 12 August 2020 and it will come into force on 2 September 2020 with a 12 month transition period.
Information Commissioner Elizabeth Denham writes:
Data sits at the heart of the digital services
children use every day. From the moment a young person opens an app, plays a game or loads a website, data begins to be gathered. Who's using the service? How are they using it? How frequently? Where from? On what device?
information may then inform techniques used to persuade young people to spend more time using services, to shape the content they are encouraged to engage with, and to tailor the advertisements they see.
For all the benefits the
digital economy can offer children, we are not currently creating a safe space for them to learn, explore and play.
This statutory code of practice looks to change that, not by seeking to protect children from the digital world,
but by protecting them within it.
This code is necessary.
This code will lead to changes that will help empower both adults and children.
One in five UK internet users are
children, but they are using an internet that was not designed for them. In our own research conducted to inform the direction of the code, we heard children describing data practices as nosy, rude and a bit freaky.
national survey into people's biggest data protection concerns ranked children's privacy second only to cyber security. This mirrors similar sentiments in research by Ofcom and the London School of Economics.
This code will lead
to changes in practices that other countries are considering too.
It is rooted in the United Nations Convention on the Rights of the Child (UNCRC) that recognises the special safeguards children need in all aspects of their life.
Data protection law at the European level reflects this and provides its own additional safeguards for children.
The code is the first of its kind, but it reflects the global direction of travel with similar reform being
considered in the USA, Europe and globally by the Organisation for Economic Co-operation and Development (OECD).
This code will lead to changes that UK Parliament wants.
Parliament and government ensured UK
data protection laws will truly transform the way we look after children online by requiring my office to introduce this statutory code of practice.
The code delivers on that mandate and requires information society services to
put the best interests of the child first when they are designing and developing apps, games, connected toys and websites that are likely to be accessed by them.
This code is achievable.
The code is
not a new law but it sets standards and explains how the General Data Protection Regulation applies in the context of children using digital services. It follows a thorough consultation process that included speaking with parents, children, schools,
children's campaign groups, developers, tech and gaming companies and online service providers.
Such conversations helped shape our code into effective, proportionate and achievable provisions.
Organisations should conform to the code and demonstrate that their services use children's data fairly and in compliance with data protection law.
The code is a set of 15 flexible standards 203 they do not ban or specifically prescribe 203 that provides built-in protection to allow children to explore, learn and play online by ensuring that the best interests of the child
are the primary consideration when designing and developing online services.
Settings must be high privacy by default (unless there's a compelling reason not to); only the minimum amount of personal data should be collected and
retained; children's data should not usually be shared; geolocation services should be switched off by default. Nudge techniques should not be used to encourage children to provide unnecessary personal data, weaken or turn off their privacy settings. The
code also addresses issues of parental control and profiling.
This code will make a difference.
Developers and those in the digital sector must act. We have allowed the maximum transition period of
12 months and will continue working with the industry.
We want coders, UX designers and system engineers to engage with these standards in their day-to-day to work and we're setting up a package of support to help.
But the next step must be a period of action and preparation. I believe companies will want to conform with the standards because they will want to demonstrate their commitment to always acting in the best interests of the child.
Those companies that do not make the required changes risk regulatory action.
What's more, they risk being left behind by those organisations that are keen to conform.
A generation from now, I believe we
will look back and find it peculiar that online services weren't always designed with children in mind.
When my grandchildren are grown and have children of their own, the need to keep children safer online will be as second
nature as the need to ensure they eat healthily, get a good education or buckle up in the back of a car.
And while our code will never replace parental control and guidance, it will help people have greater confidence that their
children can safely learn, explore and play online.
There is no doubt that change is needed. The code is an important and significant part of that change.
News websites will have to ask readers to verify their age or comply with a new 15-point code from the Information Commissioner's Office (ICO) designed to protect children's online data, ICO has confirmed.
Press campaign groups were hoping news
websites would be exempt from the new Age Appropriate Design Code so protecting their vital digital advertising revenues which are currently enhanced by extensive profiled advertising.
Applying the code as standard will mean websites putting
privacy settings to high and turning off default data profiling. If they want to continue enjoying revenues from behavioural advertising they will need to get adult readers to verify their age.
In its 2019 draft ICO had previously said such measures
must be robust and that simply asking readers to declare their age would not be enough.But it has now confirmed to Press Gazette that for news websites that adhere to an editorial code, such self-declaration measures are likely to be sufficient.
could mean news websites asking readers to enter their date of birth or tick a box confirming they are over 18. An ICO spokesperson said sites using these methods might also want to consider some low level technical measures to discourage false
declarations of age, but anything more privacy intrusive is unlikely to be appropriate..
But Society of Editors executive director Ian Murray predicted the new demands may prove unpopular even at the simplest level. Asking visitors to confirm
their age [and hence submit to snooping and profiling] -- even a simple yes or no tick box -- could be a barrier to readers.
The ICO has said it will work with the news media industry over a 12-month transition period to enable proportionate and
practical measures to be put in place for either scenario.
In fact ICO produced a separate document alongside the code to explain how it could impact news media, which it said would be allowed to apply the code in a risk-based and proportionate way.
The Information Commissioner's Office (ICO) has just published its Age Appropriate Design Code:
The draft was published last year and was opened to a public consultation which came down heavily against ICO's demands that website users should be
age verified so that the websites could tailor data protection to the age of the user.
Well in this final release ICO has backed off from requiring age verification for everything, and instead suggested something less onerous called age
'assurance'. The idea seems to be that age can be ascertained from behaviour, eg if a YouTube user watches Peppa Pig all day then one can assume that they are of primary school age.
However this does seem lead to a loads of contradictions, eg age
can be assessed by profiling users behaviour on the site, but the site isn't allowed to profile people until they are old enough to agree to this. The ICO recognises this contradiction but doesn't really help much with a solution in practice.
ICO defines the code as only applying to sites likely to be accessed by children (ie websites appealing to all ages are considered caught up by the code even though they are not specifically for children.
On a wider point the code will be very
challenging to monetisation methods for general websites. The code requires website to default to no profiling, no geo-location, no in-game sales etc. It assumes that adults will identify themselves and so enable all these things to happen. However it
may well be that adults will quite like this default setting and end up not opting for more, leaving the websites without income.
Note that these rules are in the UK interpretation of GDPR law and are not actually in the European directive. So they
are covered by statute, but only in the UK. European competitors have no equivalent requirements.
The ICO press release reads:
Today the Information Commissioner's Office has published its final Age Appropriate Design Code
-- a set of 15 standards that online services should meet to protect children's privacy.
The code sets out the standards expected of those responsible for designing, developing or providing online services like apps, connected
toys, social media platforms, online games, educational websites and streaming services. It covers services likely to be accessed by children and which process their data.
The code will require digital services to automatically
provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website.
That means privacy settings should be set to high by default and nudge techniques should not be used to
encourage children to weaken their settings. Location settings that allow the world to see where a child is, should also be switched off by default. Data collection and sharing should be minimised and profiling that can allow children to be served up
targeted content should be switched off by default too.
Elizabeth Denham, Information Commissioner, said:
"Personal data often drives the content that our children are exposed to -- what
they like, what they search for, when they log on and off and even how they are feeling.
"In an age when children learn how to use an iPad before they ride a bike, it is right that organisations designing and developing
online services do so with the best interests of children in mind. Children's privacy must not be traded in the chase for profit."
The code says that the best interests of the child should be a primary
consideration when designing and developing online services. And it gives practical guidance on data protection safeguards that ensure online services are appropriate for use by children.
"One in five internet users in the UK is a child, but they are using an internet that was not designed for them.
"There are laws to protect children in the real world -- film ratings, car seats, age
restrictions on drinking and smoking. We need our laws to protect children in the digital world too.
"In a generation from now, we will look back and find it astonishing that online services weren't always designed with
children in mind."
The standards of the code are rooted in the General Data Protection Regulation (GDPR) and the code was introduced by the Data Protection Act 2018. The ICO submitted the code to the Secretary of
State in November and it must complete a statutory process before it is laid in Parliament for approval. After that, organisations will have 12 months to update their practices before the code comes into full effect. The ICO expects this to be by autumn
This version of the code is the result of wide-ranging consultation and engagement.
The ICO received 450 responses to its initial consultation in April 2019 and followed up with dozens of meetings
with individual organisations, trade bodies, industry and sector representatives, and campaigners.
As a result, and in addition to the code itself, the ICO is preparing a significant package of support for organisations.
The code is the first of its kind, but it reflects the global direction of travel with similar reform being considered in the USA, Europe and globally by the Organisation for Economic Co-operation and Development (OECD).
The code now has to be laid before parliament for approval for a period of 40 sitting days -- with the ICO saying it will come into force 21 days after that, assuming no objections. Then there's a further 12
month transition period after it comes into force.
Obligation or codes of practice?
Neil Brown, an Internet, telecoms and tech lawyer at Decoded Legal explained:
This is not, and will not be, 'law'. It
is just a code of practice. It shows the direction of the ICO's thinking, and its expectations, and the ICO has to have regard to it when it takes enforcement action but it's not something with which an organisation needs to comply as such. They need to
comply with the law, which is the GDPR [General Data Protection Regulation] and the DPA [Data Protection Act] 2018.
Right now, online services should be working out how to comply with the GDPR, the ePrivacy rules, and any other
applicable laws. The obligation to comply with those laws does not change because of today's code of practice. Rather, the code of practice shows the ICO's thinking on what compliance might look like (and, possibly, goldplates some of the requirements of
the law too).
The ICO's Age Appropriate Design Code released today includes changes which lessen the risk of widespread age gates, but retains strong incentives towards greater age gating of content.
Over 280 ORG supporters wrote to the ICO
about the previous draft code, to express concerns with compulsory age checks for websites, which could lead to restrictions on content.
Under the code, companies must establish the age of users, or restrict their use of data. ORG
is concerned that this will mean that adults only access websites when age verified creating severe restrictions on access to information.
The ICO's changes to the Code in response to ORG's concerns suggest that different
strategies to establish age may be used, attempting to reduce the risk of forcing compulsory age verification of users.
However, the ICO has not published any assessment to understand whether these strategies are practical or what
their actual impact would be.
The Code could easily lead to Age Verification through the backdoor as it creates the threat of fines if sites have not established the age of their users.
While the Code has
many useful ideas and important protections for children, this should not come at the cost of pushing all websites to undergo age verification of users. Age Verification could extend through social media, games and news publications.
Jim Killock, Executive Director of Open Rights Group said:
The ICO has made some useful changes to their code, which make it clear that age verification is not the only method to determine age.
However, the ICO don't know how their code will change adults access to content in practice. The new code published today does not include an Impact Assessment. Parliament must produce one and assess implications for free expression
before agreeing to the code.
Age Verification demands could become a barrier to adults reaching legal content, including news, opinion and social media. This would severely impact free expression.
public and Parliament deserve a thorough discussion of the implications, rather than sneaking in a change via parliamentary rubber stamping with potentially huge implications for the way we access Internet content.
For some bizarre reason the ICO seems to have been given powers to make wide ranging internet censorship law on the fly without needing it to be considered by parliament. And with spectacular
incompetence, they have come up with a child safety plan to require nearly every website in Britain to implement strict age verification. Baldric would have been proud, it is more or less an internet equivalent of making children safe on the roads by
banning all cars.
A trade association for news organisations, News Media Association, summed up the idea in a consultation response saying:
ICO's Age Appropriate Code Could Wreak Havoc On News Media
Unless amended, the draft code published for consultation by the ICO would undermine the news media industry, its journalism and business innovation online. The ICO draft code would require commercial news media publishers to choose between their online
news services being devoid of audience or stripped of advertising, with even editorial content subject to ICO judgment and sanction, irrespective of compliance with general law and codes upheld by the courts and relevant regulators.
The NMA strongly objects to the ICO's startling extension of its regulatory remit, the proposed scope of the draft code, including its express application to news websites, its application of the proposed standards to all users in the
absence of robust age verification to distinguish adults from under 18-year olds and its restrictions on profiling. The NMA considers that news media publishers and their services should be excluded from scope of the proposed draft Code.
Attracting and retaining audience on news websites, digital editions and online service, fostering informed reader relationships, are all vital to the ever evolving development of successful newsbrands and their services, their
advertising revenues and their development of subscription or other payment or contribution models, which fund and sustain the independent press and its journalism.
There is surely no justification for the ICO to attempt by way of
a statutory age appropriate design code, to impose access restrictions fettering adults (and children's) ability to receive and impart information, or in effect impose 'pre watershed' broadcast controls upon the content of all currently publicly
available, free to use, national, regional and local news websites, already compliant with the general law and editorial and advertising codes of practice upheld by IPSO and the ASA.
In practice, the draft Code would undermine
commercial news media publishers' business models, as audience and advertising would disappear. Adults will be deterred from visiting newspaper websites if they first have to provide age verification details. Traffic and audience will also be reduced if
social media and other third parties were deterred from distributing or promoting or linking titles' lawful, code compliant, content for fear of being accused of promoting content detrimental to some age group in contravention of the Code. Audience
measurement would be difficult. It would devastate advertising, since effective relevant personalised advertising will be rendered impossible, and so destroy the vital commercial revenues which actually fund the independent media, its trusted journalism
and enable it to innovate and evolve to serve the ever-changing needs of its audience.
The draft Code's impact would be hugely damaging to the news industry and wholly counter to the Government's policy on sustaining high quality,
trusted journalism at local, regional, national and international levels.
Newspapers online content, editorial and advertising practices do not present any danger to children. The ICO has not raised with the industry any evidence
of harm, necessitating such drastic restrictions, caused by reading news or service of advertisements where these are compliant with the law and the standards set by specialist media regulators.
The Information Commissioner's Office
has a 'cunning plan'
Of course the News Media Association is making a strong case for its own exclusion from the ICO's 'cunning plan', but the idea is equally devastating for websites from any other internet sector.
Information Commissioner Elizabeth Denham was
called to give evidence to Parliament's DCMS Select Committee this week on related matters, and she spoke of a clearly negative feedback to her age verification idea.
Her sidekick backtracked a little, saying that the ICO did not mean Age
Verification via handing over passport details, more like one of those schemes where AI guesses age by scanning what sort of thing the person has been posting on social media. (Which of course requires a massive grab of data that should be best kept
private, especially for children). The outcome seems to be a dictate to the internet industry to 'innovate' and find a solution to age verification that does not require the mass hand over of private data (you know like what the data protection laws
are supposed to be protecting). The ICO put a time limit on this innovation demand of about 12 months.
In the meantime the ICO has told the news industry that age verification idea won't apply to them, presumably because they can kick up a hell of
stink about the ICO in their mass market newspapers. Denham said:
We want to encourage children to find out about the world, we want children to access news sites.
So the concern about the
impact of the code on media and editorial comment and journalism I think is unfounded. We don't think there will be an impact on news media sites. They are already regulated and we are not a media regulator.
She did speak any similar
reassuring words to any other sector of the internet industry who are likely to be equally devastated by the ICO's 'cunning plan'.
This is so wrong on so many levels. Britain would undergo a mass tantrum.
How are parents supposed to entertain their kids if they can't spend all day on YouTube?
And what about all the
privacy implications of letting social media companies have complete identity details of their users. It will be like Cambridge Analytica on speed.
Jeremy Hunt wrote to the social media companies:
Thank you for participating in the working group on children and young people's mental health and social media with officials from my Department and DCMS. We appreciate your time and engagement, and your willingness to continue discussions and
potentially support a communications campaign in this area, but I am disappointed by the lack of voluntary progress in those discussions.
We set three very clear challenges relating to protecting children and young people's mental
health: age verification, screen time limits and cyber-bullying. As I understand it, participants have focused more on promoting work already underway and explaining the challenges with taking further action, rather than offering innovative solutions or
In particular, progress on age verification is not good enough. I am concerned that your companies seem content with a situation where thousands of users breach your own terms and conditions on the minimum user
age. I fear that you are collectively turning a blind eye to a whole generation of children being exposed to the harmful emotional side effects of social media prematurely; this is both morally wrong and deeply unfair on parents, who are faced with the
invidious choice of allowing children to use platforms they are too young to access, or excluding them from social interaction that often the majority of their peers are engaging in. It is unacceptable and irresponsible for you to put parents in this
This is not a blanket criticism and I am aware that these aren't easy issues to solve. I am encouraged that a number of you have developed products to help parents control what their children an access online in response
to Government's concerns about child online protection, including Google's Family Link. And I recognise that your products and services are aimed at different audiences, so different solutions will be required. This is clear from the submissions you've
sent to my officials about the work you are delivering to address some of these challenges. However, it is clear to me that the voluntary joint approach has not delivered the safeguards we need to protect our children's mental health. In May, the
for Digital, Culture, Media and Sport will publish the Government response to the Internet Safety Strategy consultation, and I will be working with the Secretary of State to explore what other avenues are open to us to
pursue the reforms we need. We will not rule out legislation where it is needed.
In terms of immediate next steps, I appreciate the information that you provided our officials with last month but would be grateful if you would set
out in writing your companies' formal responses, on the three challenges we posed in November. In particular, I would like to know what additional new steps you have taken to protect children and young people since November in each of the specific
categories we raised: age verification, screen time limits and cyber-bullying. I invite you to respond by the end of this month, in order to inform the Internet Safety Strategy response. It would also be helpful if you can set out any ideas or further
plans you have to make progress in these areas.
During the working group meetings I understand you have pointed to the lack of conclusive evidence in this area — a concern which I also share. In order to address this, I have asked
the Chief Medical Officer to undertake an evidence review on the impact of technology on children and young people's mental health, including on healthy screen time. 1 will also be working closely with DCMS and UKRI to commission research into all these
questions, to ensure we have the best possible empirical basis on which to make policy. This will inform the Government's approach as we move forwards.
Your industry boasts some of the brightest minds and biggest budgets globally.
While these issues may be difficult, I do not believe that solutions on these issues are outside your reach; I do question whether there is sufficient will to reach them.
I am keen to work with you to make technology a force for
good in protecting the next generation. However, if you prove unwilling to do so, we will not be deterred from making progress.