Browse all articles

What Is the Age Appropriate Design Code?

Digging into the U.K.'s new child privacy rules.

The United Kingdom's Information Commissioner's Office's Age Appropriate Design Code, which went into effect on September 2, 2020, is the latest piece of global regulation designed to put kids' digital well-being first. The code is a strong example of how governments can support the creation of digital spaces that protect kids' privacy.

Common Sense has long supported the code. In a May 31, 2019, submission to the ICO in the U.K., Common Sense commended the regulator for its "efforts to support children's rights in the digital environment." And more recently, Common Sense CEO Jim Steyer expressed hope that the U.S. would follow the U.K.'s example soon, because it represents the type of protections he believes are necessary in the U.S.

Common Sense hosted a virtual workshop with the ICO to help educational technology organizations with implementation. So what does the code actually do? Here's a summary:

  • The code establishes standards and protections for children's personal data in compliance with the European Union's General Data Protection Regulation (GDPR).

  • It applies to "information society services (ISS) likely to be accessed by children (under 18)" in the U.K. ISS is defined very broadly as "any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services."

  • Generally, subject to some very narrow exceptions, if a company offers its service to users in the U.K. or monitors the behavior of users in the U.K., and the service is likely to be accessed by children, it must comply with the code.

  • The code sets out 15 flexible "standards of age appropriate design" that companies must implement by September 2, 2021. Companies must consider the best interest of the child, ages and stages of child development, parental controls, and transparency. Companies should not use children's personal data in ways detrimental to children's well-being, share data absent a compelling reason, or use nudge techniques to encourage children to provide unnecessary data. Companies also must adhere to published terms and conditions and conduct data protection impact assessments (DPIAs). Defaults should include "high privacy" settings, data minimization, and no geolocation tracking or profiling by default. Further, connected toys or devices must come with effective tools to control privacy, and children must be able to exercise their data protection rights and report concerns.

  • Because the code will apply to both new and existing services, companies must build these standards into their design processes from the start, into subsequent upgrade and service development processes, and into their DPIA process.

  • If organizations fail to do so, they could be fined up to €20 million (£17.5 million when the U.K. GDPR comes into effect) or 4% of the company's annual worldwide revenue, whichever is higher.

  • Starting September 2, 2021, the commissioner must consider the code when determining whether or not an online service has complied with its data protection obligations under the GDPR.

The code gives organizations 12 months -- i.e., until September 2, 2021 -- to conform to the new regulations. Additional information about the code can be found on the ICO's website.

Alyona Eidinger
Alyona Eidinger is a third-year student at Santa Clara University School of Law and was a fall 2020 extern for the Common Sense Privacy Program. While in law school, she became interested in privacy law and took several privacy law classes. She received the Witkin Award for Academic Excellence in Comparative Privacy Law. Prior to law school, she worked at a firm in an IP practice group.