The Children’s code plays a vital role in keeping children safe online.
Children are protected in the physical world, this code aims to ensure they are protected in the digital world too.
Issued by the Information Commissioner’s Office (ICO), it is a data protection code of practice for online services, such as apps, online games, and web and social media sites, likely to be accessed by children.
The Children’s code (or Age appropriate design code to give its formal title) came fully into force on 2 September 2021.
What is it for?
The Children’s code aims not to protect children from the digital world, but instead protect them within it by ensuring online services are designed with children in mind.
The code is about putting the best interests of children at the heart of online services. The standards are designed to help organisations develop services that recognise children warrant special protection in how their personal data is used, whilst also offering plenty of opportunity to explore and develop online.
It’s about helping to stop children experiencing online harms linked to the processing of their data including loss of confidentiality, detrimental impact from exposure to age inappropriate content, financial loss, and unwarranted intrusions into their private spaces by bad actors.
It sets out 15 standards for online services and products outlining how they should comply with data protection law.
Why do we need a Children’s code?
Apps, games and websites can start to gather personal data the moment a child or young person opens or visits them. This data can include who’s using the service, how frequently and where from.
That information may then be used to tailor the advertisements they see, shape the content they are encouraged to engage with or to persuade them to spend more time using services.
For all the benefits digital services can offer children and young people, the industry is not currently creating a safe space for them to learn, explore and play.
Services need to acknowledge that children should be treated differently. One in five people in the UK who use the internet is a child, but the internet was not designed with them in mind.
When personal data drives the content that children are exposed to, this must be made clear by organisations.
In practical terms this means they should:
- provide privacy settings that are high by default;
- switch off geo-location services that can reveal a child’s location to the world; and
- not use nudge techniques and notifications to encourage children to give up more personal data.
What does it mean for schools?
Schools themselves do not fall under the scope of the code but most of the services schools buy in will fall in scope. When a digital service purchased by a school has an influence on how and why children’s data is used, this service will need to conform with the code.
We advise schools to do due diligence on technology providers they enter into agreements with, and seek assurances that these providers conform with the code.
Including conformance as a contractual requirement is not obligatory, but would help schools meet their accountability requirements as a data controller under wider data protection laws. Schools can seek advice on this from their data protection officer.
There is more detailed information in the FAQs for education technologies (edtech) and schools section of our website.
Regardless of where they sit in relation to the code, schools must still always ensure their use of children’s data and activities comply with the UK GDPR and Data Protection Act 2018.