September 2020 marked the introduction of the Information Commissioner's Office (ICO) Children's Code (also known as The Age Appropriate Design Code).

This is a statutory code of practice which seeks to protect children within the digital world through the provision of additional safeguards, while still enabling them to benefit from the use of apps, games and websites, all of which routinely gather thousands of data points about them. With this year seeing a dramatic increase in screen time for children, the introduction of this Code is particularly timely.

The data gathered by these platforms can be used to shape the content children see, persuade them to spend more time using the platform, and to target advertisements based on their viewing history. Naturally, major concerns arise in relation to the privacy of children and the need for special protection in how their personal data is used.

The Children's Code therefore provides additional protection for those under 18. It establishes a set of 15 flexible standards which seek to ensure that the best interests of the child are the primary consideration when designing and developing online services. Some of the key safeguards provided by the Code are:

• settings must be "high privacy" by default, unless there is a compelling reason not to do so
• the minimum amount of data should be collected and retained
• location services should be switched off by default
• children's data should not be shared
• nudge techniques (which encourage users to follow preferred paths) should not be used to encourage children to provide personal data or turn off their privacy settings
• children who choose to change their default settings must be given the right information and advice before they do so, and their data usage must be protected afterwards.

Which organisations need to comply?

The application of the Code is wide, applying to all organisations providing online services and products likely to be accessed by children up to the age of 18. All major social media and online services used by children in the UK will need to conform. The Code is backed by the GDPR and Data Protection Act 2018 which are regulated and enforced by the ICO. Failure to comply with the Code means that a controller is unlikely to be able to demonstrate that the processing of personal data complies with such legislation. This could lead to enforcement action by the ICO, including the imposition of financial penalties up to 4% of global turnover.

What steps should organisations be taking now?

Although the Code came into force on 2 September 2020, there is a 12 month transition period to allow organisations to make changes to ensure that the 15 standards are incorporated into their design processes and development/upgrade processes. Organisations caught by the Code should review the way in which they use and collect personal data belonging to children and amend their processes to ensure compliance with the Code. This may not necessarily be a straightforward or quick fix, so organisations should be acting now to ensure compliance by the end of the transition period.

To assist organisations throughout the transition, the ICO has launched its Children's Code Hub which will help and support developers to achieve compliance.