Notice

Explanatory memorandum to the Age Appropriate Design Code 2020 [2020]

Published 11 June 2020

1. Introduction

This explanatory memorandum has been prepared by the Department of Digital, Culture, Media and Sport and is laid before Parliament by Command of her Majesty.

2. Purpose of the instrument

Under section 123(1) of the Data Protection Act 2018 (“the DPA”), the Information Commissioner is required to produce a code of practice on standards of age appropriate design (“the Code”). The Code applies to “relevant information society services which are likely to be accessed by children” in the UK. This includes many apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet. The Code sets out 15 headline standards of age appropriate design that companies need to implement to ensure their services appropriately safeguard children’s personal data and process children’s personal data fairly.

3. Matters of special interest to Parliament

Matters of special interest to the Joint Committee on Statutory Instruments

3.1 The code is not a statutory instrument but is subject to the draft negative resolution procedure as set out in section 125(3) and (4) of the DPA.

Matters relevant to Standing Orders Nos. 83P and 83T of the Standing Orders of the House of Commons relating to Public Business (English Votes for English Laws)

3.2 As the instrument is subject to draft negative resolution procedure there are no matters relevant to Standing Orders Nos. 83P and 83T of the Standing Orders of the House of Commons relating to Public Business at this stage.

4. Extent and Territorial Application

4.1 The territorial extent of the Code is the United Kingdom.

4.2 The territorial application of the Code is the United Kingdom.

5. European Convention on Human Rights

5.1 As the Code is subject to the negative resolution procedure and does not amend primary legislation, no statement is required.

6. Legislative Context

6.1 Under section 123(1) of the DPA the Information Commissioner is required to produce a code of practice on standards of age appropriate design of relevant information society services which are likely to be accessed by children.

6.2 The Code is one of four statutory codes in the DPA that the Information Commissioner is required to prepare (the others being the data-sharing code, the direct marketing code and the data protection and journalism code) and is the first to be laid in Parliament. The DPA provides that courts and tribunals must take into account the provisions of a statutory code where relevant to the proceedings in question.

6.3 Section 125(1)(a) requires the Information Commissioner to submit the final version of the Code to the Secretary of State. Under section 125(2)(a) this must occur within 18 months of the DPA being passed. The Information Commissioner has fulfilled this requirement, submitting the Code to the Secretary of State on 22 November 2019.

6.4 Section 125(1)(b) then requires the Secretary of State to lay the Code before Parliament. Under section 125(2)(b) this must occur “as soon as reasonably practicable”. The Code itself is not a statutory instrument but a statutory code and, as stipulated in section 125(3) and (4) of the DPA, follows the draft negative parliamentary procedure when the Secretary of State lays it in Parliament.

6.5 Section 123(6) of the DPA provides that there can be a transitional period of up to 12 months once the Code comes into force.

7. Policy background

What is being done and why?

7.1 The Code is required under section 123(1) of the DPA. The aim of the Code is to support compliance with the DPA and general principles of the General Data Protection Regulation (“the GDPR”) to ensure online services appropriately safeguard children’s personal data. The Code supports compliance with those general principles by setting out specific protections services need to build in when designing online services likely to be accessed by children. In particular, the Code sets out practical measures and safeguards to ensure processing under the GDPR can be considered ‘fair’ in the context of online risks to children.

7.2 The 15 standards the Code sets out are not intended as technical standards, but as a set of technology-neutral design principles and practical privacy features. The focus is on providing default settings which ensure that children have the best possible access to online services whilst minimising data collection and use, by default.

7.3 In preparing the Code, the Commissioner was required to consider the UK’s obligations under the United Nations Convention on the Rights of the Child (“the UNCRC”), and the fact that children have different needs at different ages. The Code incorporates the key principle from the UNCRC that the best interests of the child should be a primary consideration in all actions concerning children. It also aims to respect the rights and duties of parents, and the child’s evolving capacity to make their own choices.

7.4 While the content of the Code is the responsibility of the Information Commissioner, during the passage of the Data Protection Bill the Government committed to supporting the Information Commissioner’s Office (ICO) to develop the Code by providing a list of minimum standards to be taken into account when designing it. This included default privacy settings, data minimisation standards, the presentation and language of terms and conditions and privacy notices, uses of geolocation technology, automated and semi-automated profiling, transparency of paid-for activity such as product placement and marketing, the sharing and resale of data, the strategies used to encourage extended user engagement, user reporting and resolution processes and systems, the ability to understand and activate a child’s right to erasure, rectification and restriction, the ability to access advice from independent, specialist advocates on all data rights, and any other aspect of design that the commissioner considers relevant.

7.5 The Information Commissioner submitted the final version to the Secretary of State for laying on 22 November 2019. On 22 January 2020, the Government notified the Code to the European Commission under the European Union’s Technical Standards and Regulations Directive (TSRD) in order to meet its obligations under the Withdrawal Agreement. The notification triggered a standstill period during which the Code could not be laid in Parliament (allowing the European Commission and Member States the opportunity to comment on the Code before it came into force). The standstill period ended on 23 April 2020 without comment from Member States or the European Commission.

7.6 The ICO has confirmed there will be a transitional period of 12 months from the date the Code comes into force. This is the maximum transitional period allowed for under the DPA and is to give organisations in scope of the Code time to prepare for its implementation.

7.7 The ICO held a call for evidence to develop the content of the Code in 2018 receiving 97 responses. The ICO also held a public consultation on the Code in 2019 receiving 446 responses. There has been a high level of public interest in the Code, with strong support from child online safety organisations and some sections of industry. While there has been support for the Code’s ambitions to protect children’s personal data across business sectors, there have also been concerns raised throughout the consultation process on the Code’s scope, proportionality and feasibility.

8. European Union (Withdrawal) Act/Withdrawal of the United Kingdom from the European Union

8.1 This instrument does not relate to withdrawal from the European Union / trigger the statement requirements under the European Union (Withdrawal) Act.

8.2 Consolidation

8.3 This will be the first time that an age-appropriate design code prepared under section 123 of the DPA is laid in Parliament under section 125 of the DPA.

9. Consultation outcome

9.1 Under section 123(3) of the DPA, the Information Commissioner is required to prepare the Code, or amendments to it, in consultation with the Secretary of State and such other persons as the Commissioner considers appropriate. This includes children, parents, persons who appear to the Commissioner to represent the interests of children, child development experts and trade associations.

Call for views

9.2 The ICO held a 6 month call for views from June 2018 to December 2018 to inform the development of the Code. The Commissioner sought evidence and views from bodies representing the views of children or parents, child development experts, providers of online services likely to be accessed by children, and trade associations. The ICO received 97 responses to the call for evidence. Respondents provided their views on the proposed age appropriate design standards for the Code. Full responses are available to read on the ICO website.

9.3 In its summary of responses to the call for views, the ICO noted that many respondents saw the Code as an opportunity to reshape the online experience for children, including protecting their privacy, and changing expectations and norms for children online. Many respondents noted the opportunity to raise awareness of privacy issues and privacy settings with children and parents and carers through the Code.

9.4 The ICO also noted some significant challenges from respondents. Some respondents raised concerns around the Code being too prescriptive, discouraging innovation and increasing costs by forcing particular solutions. The ICO noted that many respondents felt that age verification and obtaining parental consent would be a significant challenge. Some respondents also raised particular challenges around the international nature of Internet Society Services and there were some general concerns about monitoring compliance.

Research with children and parents

9.5 Alongside the call for views, the ICO commissioned research to understand the views of children and their parents on the Code. The research was designed to qualitatively and quantitatively explore what children, parents and carers thought about the areas that the Government suggested should be addressed by the Code. The research report is available to read on the ICO’s website.

Public consultation

9.6 The ICO ran a public consultation on the Code between 15 April and 31 May 2019. The ICO received more than 446 written responses to the consultation which were considered to inform the final draft of the Code. A summary of the consultation responses is available on the ICO’s website.

9.7 In its summary of consultation responses, the ICO noted that most respondents, across all sectors, were supportive of the aims and ambition of the Code in protecting the personal data of children. The ICO said that many respondents, typically child development experts and bodies representing children’s views and individuals, including parents, commended the Code and wished for its swift implementation in full.

9.8 The ICO also notes that there were some significant concerns raised, particularly from providers of Internet Society Services and their trade associations, that more could be done to ensure the Code is risk-based and proportionate. It also noted that there was a general concern from some Information Society Services and trade associations that the Code could reach beyond the ICO’s regulatory remit for data protection, and could result in regulatory overlap, duplication or potential inconsistency and could overburden services which are already heavily regulated.

10. Guidance

10.1 The ICO has confirmed there will be a 12 month transitional period once the Code comes into force, to help companies in scope prepare for its implementation. The ICO is preparing a package of support during the transition period to help providers of online services, and in particular small businesses, conform with the Code. The ICO surveyed businesses from February to March 2020 to gather views from providers of online services about the type of support they would most like the ICO to provide during the transition period.

10.2 In addition, the Secretary of State has asked the ICO to undertake an assessment of the Code’s economic impact in order to inform the package of support to industry, which will minimise the risk of disproportionate burdens on small businesses. The assessment of economic impact will be completed before the Code has completed its parliamentary passage. The Department will place a copy in the Libraries of the House of Commons and the House of Lords. The full assessment will also be published on the ICO’s website.

News media frequently asked questions

10.3 The ICO has engaged with the News Media Association to develop specific guidance and Frequently Asked Questions (“FAQs”) for the news media sector on the Code. The FAQs are available on the ICO’s website.

10.4 10.4 The FAQs are being included in the Explanatory Memorandum as a result of a commitment made by the DCMS Secretary of State on 5 June 2020 [Rt Hon Oliver Dowden MP, HC Deb 4 June 2020, vol. 676, col. 983].

10.5 Are digital news media covered by the Code?

There is no exemption for the news media in the provisions of the Code in the DPA. Given the evidence that children often use news media, many digital news media services will fall under the ‘likely to be accessed by children’ test. These services typically process children’s personal data to inform personalised news and digital advertising feeds. Personal data may also be shared with third parties or used for other purposes. That said, the ICO recognises that digital news media are not a core concern for children online, so the provisions of the Code can be applied in a risk-based and proportionate way to reflect this.

10.6 What impact will the Code have on news content?

None. The ICO is not a content regulator. The focus in the Code is on the use of personal data to personalise content feeds (suggesting particular content to particular users, based on their previous browsing history), rather than regulating the content itself. The Code makes clear the importance of children’s own fundamental right to receive information by having access to the media. We recognise the safeguards already present in existing regimes for regulating the media that balance regulation with the public interest in journalism. For media services that already comply with these existing safeguards there should be no impact on the news content they provide.

10.7 Will news media need to formally age-verify their digital services in order to allow users to access news content?

No. We recognise the importance of open access to digital news media, including for children to use it to learn about the world around them. The code reflects a risk-based approach. We have acknowledged the general level of risk for this industry and for those who live up to their existing obligations, this will be low. Ultimately, the approach that news media services will have to take to establish the age of their users will depend on how their service uses personal data. Online services have a choice. The code makes clear that formal age verification will not always be needed to establish age and self-declaration can be used if appropriate to the level of risk. They can either:

• establish age with a level of certainty that is appropriate to the risks to children that arise from their use of personal data, or

• ensure they follow the Code and protect the personal data of all users by default instead (so that they don’t have to establish age as above). We will work with the news media industry during the Code’s transition period (12 months) to enable proportionate and practical measures to be put in place for either scenario.

10.8 How will the Code affect digital advertising?

The Code will not prevent the media from using behavioural advertising. We acknowledge the importance of this revenue stream to the media industry, something we have also recognised in our wider work on ad tech. Under existing legislation (the GDPR and Privacy and Electronic Communications Regulation - PECR) user consent is already needed before behavioural advertising can take place. The Code says that profiling must be switched off by default for child users, or all users if age is not established. Valid GDPR and PECR consent and transparency for cookies will allow this profiling for advertising to be ‘switched on’. The ICO recognises that the risk from behavioural advertising is also lowered when the media apply the relevant Advertising Standards Authority codes.

10.9 What about privacy information, will we have to create multiple versions to conform to the Code?

No. Where the information you are trying to convey is the same, regardless of the age of the user, you will be able to create a single version provided that this is, in fact, genuinely accessible to all who are likely to visit your website.

10.10 How are you guarding against disproportionate outcomes?

The Code has been developed in the context of the ICO’s Regulatory Action Policy, approved by Parliament. This embodies a proportionate and risk based approach to any regulatory action. The Code also incorporates this approach and specifically references the importance of freedom of expression and respecting a child’s right to access information online. In accordance with section 127 of the DPA, the Commissioner and the Courts must take the Code, and therefore its proportionate approach, into account wherever relevant when considering compliance with the law.

10.11 What else will news media need to do to conform to the other standards in the Code?

Once the process for laying the Code in Parliament is complete, there will be a transitional period of 12 months. During this period we are committed to assisting industry to develop solutions to conform with the Code. We particularly recognise that small organisations have specific needs for further assistance, including those within the news media sector. We will dedicate a workstream within our implementation programme to assisting local news media and helping them conform with the Code in practice.

11. Impact

11.1 There is a likelihood of impact on business, charities or voluntary bodies.

11.2 There is a likelihood of impact on the public sector.

11.3 An Impact Assessment was produced for the Data Protection Bill, which implemented the obligations of the EU GDPR in the United Kingdom. The purpose of the Code is to support compliance with the general principles of the GDPR. It provides practical guidance about how to ensure online services appropriately safeguard children’s personal data. If companies do not have sufficient protections in place for children, they will have to make changes to ensure they comply with the GDPR and the Code.

11.4 The ICO is developing a package of support for industry over the 12 month transition period to aid compliance with the Code. The Government has asked the ICO to produce an economic impact assessment of the Code to inform the ICO’s support for businesses during the transition period. This will ensure there is appropriate support for businesses to comply with the Code’s requirements. The assessment of economic impact will be completed before the Code has completed its parliamentary passage. The Department will place a copy in the Libraries of the House of Commons and the House of Lords. The full assessment will also be published on the ICO’s website. In addition, at the request of the Secretary of State, the ICO has committed to undertaking a review of the Code one year following its coming into force.

12. Regulating small business

12.1 The legislation applies to activities that are undertaken by small businesses.

12.2 Conformance with the Code will be monitored in line with the ICO’s Regulatory Action Policy. The policy sets out a proportionate and risk-based approach to taking regulatory action against organisations and individuals that have breached the provisions of the data protection, freedom of information and other legislation. The ICO has set out in the Code that it will take a proportionate and responsible approach to enforcement, focussing on areas with the potential for most harm. The ICO has also said that it will take account of the size and resources of the organisation concerned, the availability of technological solutions in the marketplace and the risks to children that are inherent in the processing.

12.3 Enforcement will take into account the efforts of small business towards conformance during the transition period, as well as the size, and resources of the organisation, and the risks to children inherent in data processing. The ICO is preparing to provide a package of support to help providers of online services, and in particular small businesses, conform with the Code.

13. Monitoring & review

13.1 Under section 126(3) of the DPA the Information Commissioner is required to keep the Code under review. Before preparing any amendments to the Code, the Information Commissioner must consult the Secretary of State and such other persons as the Commissioner considers appropriate. This includes children, parents, persons who appear to the Commissioner to represent the interests of children, child development experts and trade associations

13.2 13.2 At the request of the Secretary of State, the ICO has committed to undertaking a review of the Code one year following its coming into force to assess the efficacy of the Code.

14. Contact

14.1 Gabrielle Melvin at the Department for Digital, Culture, Media & Sport. Telephone: 020 7211 6000 or email: enquiries@culture.gov.uk can be contacted with any queries regarding the Age Appropriate Design Code.

14.2 Orla MacRae, Deputy Director for Online Harms, at the Department of Digital, Culture, Media & Sport can confirm that this Explanatory Memorandum meets the required standard.

14.3 Rt Hon Oliver Dowden CBE MP, Secretary of State for Digital, Culture, Media and Sport can confirm that this Explanatory Memorandum meets the required standard.