Insights / Privacy & Security Law Blog

New Children's Data Privacy Protections Take Effect in the U.K.: What to Know and How to Comply

By Nancy Libin and Alexander B. Reynolds

09.01.21

Beginning September 2, 2021, companies that offer certain types of online services in the U.K. must implement a new code of practice governing the handling of children's personal data (the Children's Code or Code).¹ The Children's Code, which was released by the U.K. Information Commissioner (ICO) in September 2020, was mandated by Section 123(1) of the U.K. Data Protection Act of 2018 (U.K. DPA) and comprises 15 age-appropriate design standards that covered entities must adopt and implement.

The Code was designed to provide a risk-based approach to protecting children's personal data, allowing children to enjoy the benefits of online services while ensuring companies engage in proportionate data collection and use. By conforming to the standards, businesses should be in compliance with the provisions of the U.K. Data Protection Act and EU General Data Protection Regulation that govern the handling of children's personal data.

To Whom the Code Applies

The Code applies broadly to online services "provided for remuneration"—including those supported by online advertising—that process the personal data of and are "likely to be accessed" by children under 18 years of age, even if those services are not targeted at children.²

This includes apps, search engines, social media platforms, online games and marketplaces, news or educational websites, content streaming services, online messaging services, and so forth. And because the U.K. DPA has extraterritorial effect, the Code will apply to any online service—including those based in the United States—that offer goods and services in the U.K. and otherwise meet the threshold.³

What Services Are "Likely to be Accessed by Children?"

The ICO intended that this phrase be interpreted broadly to cover not just services that a business targets to children, but also those that children are "more probable than not" to access, while not covering all services that children could possibly access.

Factors to consider include whether children are likely to be attracted to the nature and content of the service and the way in which users can access the service (e.g., whether a business uses an age gate).⁴ Businesses can analyze market research, other sources of online user behavior, or the user base of similar services to make this determination.⁵

The Code's 15 Age-Appropriate Design Standards

Unlike U.S. children's privacy law, which empowers parents to control the collection, use, and disclosure of their children's data, the Code requires businesses to ensure they process data in the best interests of children and that children are provided the information and tools they need to exercise control over their data.

The Code's standards are meant to be technology-neutral design principles that are flexible enough for businesses to apply to different services and technologies. The standards do not ban or specifically prescribe services and "will never replace parental control and guidance, [but] will help people have greater confidence that their children can safely learn, explore and play online."

1. Ensure data processing is in the best interests of the child: This standard reflects the U.K.'s obligations under the United Nations Convention on the Rights of the Child and requires businesses to make the best interests of the child a primary consideration when designing and developing online services likely to be accessed by a child. The ICO made clear that this standard does not preclude a business from pursuing its own commercial interests, but rather, it requires a business to design and deliver services in a way that protects children from exploitation and other harms that can occur online.
2. Conduct data protection impact assessments: The ICO considers any processing of children's personal data to be processing that is likely to result in a high risk to rights and freedoms. Therefore, businesses must undertake a data protection impact assessment (DPIA) to assess and mitigate risks to the rights and freedoms of children who are likely to access the service. In conducting the DPIA, businesses must, among other things, identify and mitigate any potential harm the processing could cause, including social anxiety, access to harmful content, excessive screen time, and "other significant economic, social or developmental disadvantage."
3. Ensure age-appropriate application of the Code: Businesses should understand the age ranges of children who may access their services so they can design their services and apply the Code to meet those children's needs at different ages and stages of development.
4. Provide adequate transparency: Businesses must provide users explanations of how they collect, use, and disclose personal data in concise, prominent, and clear language suited to the age of the child. Businesses also should provide just-in-time notice at the moment of data collection and encourage children to speak to a parent or guardian before authorizing any new uses of their data.
5. Avoid detrimental uses of data: Businesses must not process children's personal data in ways that could be harmful to their health and wellbeing. Industry codes, regulatory guidelines, and other expert guidance can be sources of information regarding what types of processing could be harmful. The ICO recommends consulting guidance issued by the Committee of Advertising Practice for information about the kinds of advertising and marketing that can cause physical, mental, or moral harm to children.
6. Follow policies and community standards: Businesses must follow their own privacy policies and other public statements regarding their handling of personal data.
7. Develop default settings for high-level privacy protection: Businesses must configure privacy settings for children to the highest level of privacy protection by default except with respect to the use of personal data that is necessary to provide the core service.
8. Ensure data minimization: Businesses may not collect or retain more than the minimum amount of personal data necessary to provide the elements of a service in which a child is actively and knowingly engaged. Children must have separate choices over which elements of a service they want to activate. This can be accomplished via default privacy settings.
9. Limit data sharing: Children's data should be disclosed only if a business can articulate a compelling reason to do so, taking account of the best interests of the child. Businesses should obtain assurances from the recipients that they will adhere to this requirement and should conduct adequate due diligence to ensure that the data recipients are in compliance.
10. Provide enhanced protection for geolocation information: Businesses should switch geolocation options off by default (unless the business can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child) and provide an obvious indicator for children when location tracking is active. Businesses should ensure that access to geolocation information defaults to "off" after a child makes their location visible for a particular purpose for a limited time.
11. Provide notice of parental controls: A business that provides parental controls should give the child age-appropriate information about those controls and should provide an obvious indicator to the child when a parent or guardian is monitoring the child's online activity.
12. Limit profiling: Businesses should configure options that use profiling to "off" by default unless the profiling is essential to the core service being offered. Privacy settings that govern profiling for online behavioral advertising should always be configured "off" by default.
13. Avoid the use of nudge techniques: Businesses should not use persuasive techniques that encourage children to provide unnecessary personal data or reduce their privacy protections.
14. Ensure compliance of connected toys and devices: Businesses that provide connected devices, including connected toys and devices controlled by voice recognition, must provide effective tools to enable compliance with the Code. Devices that could be used by multiple family members, some of whom are children, should be configured to provide protections for children by default and enable user profile options so that the services can be tailored to the age of the child.
15. Provide online tools: Businesses must provide online tools that are easy to find and use so that children can exercise their rights and report concerns.⁶

Enforcement

The ICO has authority to enforce compliance with the Code and issue warnings, reprimands, and penalties of up to £17.5 million or 4 percent of annual global revenue, whichever is higher.

What's Next

Businesses whose services are used by children in the United States and the U.K. will need to ensure that the privacy protections they implement are sufficient to comply with both laws. This will prove challenging, but the Code is flexible.

The Code allows companies to adopt and implement controls and solutions that are tailored to the age range of the children using the services and to the risk that particular services create for children of that age. Accordingly, businesses that offer online services to users in the U.K. should take the following steps:

Determine whether children in the U.K. are likely to use your services: Businesses should consider the nature of the services that they offer to determine whether children—including teens—in the U.K. may be more likely than not to use them.
Conduct a risk assessment based on your user base and services offered and identify any gaps in your privacy program: The Code is much broader in scope than U.S. privacy laws that protect children online, so companies cannot rely on assessments that they have made or technical solutions that they have put in place to comply with U.S. law.⁷ For instance, age gates that companies have in place to prevent children under 13 from accessing services may ensure compliance with the Children's Online Privacy Protection Act (COPPA), but they will not be enough to ensure compliance with the Code.

In addition, the U.K. DPA adopts the GDPR's definition of personal data, which is much more expansive than the definition of personal information under COPPA. Some of the processes put in place to comply with COPPA—such as mechanisms to ensure data minimization—may satisfy certain requirements in the Code, but the Code takes a different approach to protecting children's privacy, focusing on giving children, rather than their parents, the tools they need to control their data. Further, businesses should determine the likely age ranges of children using the services so that they can assess the privacy risks and tailor application of the Code appropriately.
Conduct a data protection impact assessment: Not only are businesses required to conduct a DPIA, doing so will help them determine how best to comply with the other standards, including data minimization, controlling data sharing, limiting profiling and the use of geolocation information, avoiding nudge settings, and preventing harmful uses of children's personal data.
Develop and implement technical solutions, where possible: Businesses will want to rely on technical solutions for some of their compliance obligations. For instance, businesses must set their default settings to provide the highest level of protection for children using their services. This may require segregating services for children and adults to enable continued provision of services to adults without unnecessarily restricting data collection and use for its adult users.

Businesses also must ensure that the technical controls they make available to children are available and easy to use and are tailored to reflect the age(s) of children likely using the services. This, too, may require reconfiguration of technical controls currently available to users of the services.

FOOTNOTES

1 Section 123(1), U.K. Data Protection Act of 2018 (U.K. DPA).
2 Section 123 of the U.K. DPA states that the Children's Code applies to "relevant information society services which are likely to be accessed by children."
3 ICO Guidance available here.
4 Id.
5 Id.
6 Description of the Children's Code available here.
7 While the federal Children's Online Privacy Protection Act (COPPA) covers children under 13 years of age whom the company either targets or has actual knowledge are using the online service, the Code—as noted above—applies to services that are more likely than not to be used by children under 18 years of age.