Ready for the Children’s Code?

March 10, 2021
Tim Heywood


View profile

The Information Commissioner’s Office (ICO) Children’s Code on data processing sets out 15 ‘standards’ which data controllers and processors will have to adhere to in six months’ time (2nd September 2021).

The objective behind the Code is to enhance the protection of children’s data online.

Children need protecting even more than adults, of course. They are vulnerable. Data breaches can have serious, sometimes lifelong, implications for them. But of course not all children are the same. The way children understand things (like your privacy notices) differs from age- group to age-group. They also have different development needs.

For providers of online information services (or ‘information society services’), a key driver must surely be to enhance the level of trust that current and future customers will have in their services. Trust has to be earned, of course, so by getting the business ready for implementation of the Code, and demonstrating to the World that you genuinely value privacy and will always act responsibly, you will be doing the right thing for your customers. 

This Code applies to “relevant information society services which are likely to be accessed by children”.

The ‘relevant’ bit simply means that the in-scope services will involve the processing of personal data under the UK GDPR.

But note that the ISS caught by this Code do not need to be those that are actively targeting Children. It will be enough if the services are “likely to be accessed” by them. So it is more about understanding the reality of how your services are used and ensuring that even where Children are not the target audience, the end-to-end design and management of your services anticipate the likelihood of children using them and as a consequence having their personal data used.

The ICO recommends that service providers take “a common sense approach”. In fact, though, what it will require is a thoughtful and analytical approach to the design and management of these services. Services that are unsuitable for children should be inaccessible to them. Services on the other hand that are not aimed at them but which are not necessarily unsuitable per se should be designed in a way that does not actively encourage children to access them.

Underneath all this of course are the UK GDPR rules, the principles and practices we are already familiar with. So the principle of ‘accountability’ continues to apply. This will, no doubt, mean that even if you conclude that children are not likely to access your services and that as a result you need not comply with the Code, you should record this decision and the analysis that led to it.

The Code will also potentially to apply to certain service providers who are based in the EU but who have a base in the UK which processes data “in the context of that establishment” or who offer the services to, or monitor, people in the UK.

For Parents and older children it may be useful to read through the Code so that you really understand your rights and how to enforce them.

Tim Heywood FRSA is a Partner at Gunnercooke llp and specialises in data protection law, acting for organisations collecting and processing data, and for individuals seeking to exercise their data privacy rights.

This blog is for information purposes only. It is not intended as and must not be relied on as legal advice. Always seek legal advice on your specific circumstances.