Press enter to search, esc to close
We know that a lot of organisations, particularly in the retail and digital sectors, are currently grappling with what this means for them. Here’s what you need to know.
The Code sets out 15 standards that organisations providing online services need to implement in order protect the data of its child users. Child users, for the purpose of the Code, are users under the age of 18.
The Code takes a risk-based approach. It recommends default settings which seek to optimise children’s access to online services while limiting the collection and use of their data. It also ensures that those who choose to opt-out of these default settings are able to make an informed decision.
The Code covers a range of online services such as apps, games, connected toys and services and news services. However, it is important that all organisations have an awareness of the Code as it is not limited to services that are designed specifically for children. The Code applies more broadly to “information society services likely to be accessed by children”. This means that if it is ‘more probable than not’ that a certain online service will appeal to children the Code will be engaged, whether that service is specifically targeted at those under 18 years old or not. This is dependent on the nature and content of a service, as well as the way in which the service is accessed.
The Code not only applies to UK companies, but also non-UK companies who process the personal data of UK children.
The 15 standards established by the Code are summarised on the ICO’s website. In effect, these standards simply emphasise and provide substance to the steps that organisations should already be taking to ensure that children’s data is processed in safely, fairly and lawfully. Nonetheless, the Code provides a clear mandate of the ICO’s intentions to be especially proactive when it comes to protecting children’s online privacy rights. It makes it is more important than ever for organisations offering in-scope services to ensure that they have properly considered and documented their approach to data protection compliance. Amongst other things, this means:
While failure to comply with the Code is not a breach per se, it makes it difficult for online service providers to demonstrate compliance with UK GDPR more widely. This is turn could invite regulatory action and result in fines of up to £17.5 million or 4% of your annual worldwide turnover (whichever is higher).
In a post-GDPR world, consumers are increasingly aware of their privacy rights and the importance of protecting the online welfare of children. Although the Code is the first of its kind, it will not be the last, with similar changes being considered in the US, Europe and more globally through the Organisation for Economic Co-operation and Development (OECD). The Code marks a significant step towards protecting young people online and active compliance provides an opportunity for businesses to be seen positively at the forefront of this change.
09 September 2021