ICO urges businesses to act now as Children’s Code comes into force in six months

Initial findings from industry research set up by the Information Commissioner’s Office (ICO) show that three quarters of businesses surveyed are aware of the Children’s Code.

Some 500 services and businesses were part of a survey to gauge understanding of the code, and the opportunities and challenges that it may present to organisations. The full findings will be published in May but initial analysis shows businesses are still in the preparation stages.

And with just six months to go until the code comes into force, the ICO is urging organisations and businesses to make the necessary changes to their online services and products.

The Children’s Code sets out 15 standards organisations must meet to ensure that children’s data is protected online. The code will apply to all the major online services used by children in the UK and includes measures such as providing default settings which ensure that children have the best possible access to online services whilst minimising data collection and use.

The importance of the code will be reflected by Information Commissioner Elizabeth Denham when she addresses the Oxford Internet Institute later this week.

She will say:

“This week marks six months until the code is fully in place, and there is plenty still to be done, both by my office in supporting organisations, and in businesses stepping up to make the necessary changes.

“But that work will be worthwhile. The code is an important piece of work in protecting children. In the coming decade, I believe children’s codes will be adopted by a great number of jurisdictions and we will look back and find it astonishing that there was ever a time that children did not have these mandated protections.

“There is a more fundamental point here too: if we have a generation who grow up seeing digital services misuse their personal data, what does that do to their trust in innovation in the future?”

Details of the code were first published in June 2018 and UK Parliament approved it last year. Since then, the ICO has been providing support and advice to help organisations adapt their online services and products in line with data protection law.

Emily Keaney, ICO’s Director of Regulatory Strategy said:

“The Children’s Code plays a vital role in protecting children online. Businesses need to turn their awareness into action. If they haven’t already, services affected must take action now if they are to meet the September 2021 deadline.

“We’re here to help with support, advice and resources.”

The regulator has launched a call for transparency champions. These are organisations that are designing projects using privacy information in ways that are easy for children to understand and engage with.

The Children’s Code hub has a variety of resources for organisations to understand the code and whether they are in scope of it.

The ICO has been holding webinars with online sectors and will be hosting a workshop at the Festival of UX & Design 2021 for the design community to raise awareness of the code and explain how it can be applied to innovative projects. The ICO wants to understand if there are any further challenges for businesses in this area so it can provide tailored guidance and support.

Innovative projects on the theme of children’s privacy are already underway as part of the ICO Sandbox, including from Yoti, Seers and FlyingBinary. These organisations are working with the ICO Sandbox team to ensure their online services and products are built with a privacy-by-design approach and are meeting the requirements set out by the code to protect children online.

For more information visit ico.org.uk/childrenscode

Notes to Editors

1. The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3. The Government included provisions in the Data Protection Act 2018 to create world-leading standards that provide proper safeguards for children when they are online.
4. The 15 standards in the Children’s Code are backed by existing data protection laws which are legally enforceable and regulated by the ICO.
5. The ICO’s first phase of industry research will be published in May 2021, with the final results published in October 2021.
6. Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
7. The DPA2018 and UK GDPR gave the ICO new strengthened powers.
8. The data protection principles in the UK GDPR evolved from the original DPA, and set out the main responsibilities for organisations.
9. To report a concern to the ICO, go to ico.org.uk/concerns.