The ICO’s Children’s Code

The ICO introduced the Children’s Code (the “Code”) in September 2020. It establishes a code of practice to protect children’s digital privacy, acknowledging that children’s personal data should be afforded additional protection, whilst ensuring that children receive “best possible access” to the internet in the UK. Any persons under the age of 18 are “children” for the purpose of the Code.

The Code applies to “relevant information society services which are likely to be accessed by children in the UK”. If your business provides online services such as apps, online games and web and social media sites likely to be accessed by children, your business will be caught by the Code.

The Code sets out 15 standards which can be reviewed here. Whilst it is not law, in practice, in the event of a complaint (such as an allegation of a data breach), the courts and the ICO will take the Code and compliance with it into account.

Should a business fail to comply, the ICO has a variety of powers to ensure compliance such as a compulsory audit, orders to stop processing, and fines of up to 4% of the company’s global turnover (equal to those who fail to meet the requirements of the UK GDPR).

The ICO set 02 September 2021 as the date for compliance with the Code. To help achieve compliance, you should consider the following steps:

1. Undertake a business wide data protection audit to ensure compliance (including reviewing existing privacy notices and data protection policies in place).
2. Consider undertaking a data protection impact assessment (“DPIA”) to determine that compliance with the Code has been met.
3. Read, review and analyse the Code in detail.
4. Review your business’ privacy settings.
5. Document reasons to demonstrate that children will not be accessing your services (if applicable).

For more information on this article, please contact our data and privacy team.