Does the UK's Age-Appropriate Design Code Apply to Your Business?

Following the introduction of the Age-Appropriate Design Code (the Code) on 2 September 2021, companies have questioned whether the Code applies to their online service. A recent consultation by the ICO seeks to clarify when an online service will be considered to fall within the scope of the Code. For background on the Code itself, please see our earlier update, “The UK's Age-Appropriate Design Code in Effect.”

What is the focus of the ICO’s draft guidance?

As outlined in the Code, organisations fall within the scope of the Code if their online service is likely to be accessed by children. What this means in practice has generated some confusion among online service providers. In a bid to provide some clarity, the draft supplementary guidance issued by the ICO focuses on clarifying when an online service is ‘likely to be accessed’ by children and includes some FAQs, a list of factors that should be considered during an assessment and practical case studies for illustration purposes.

What does likely to be accessed by children mean?

The ICO notes that the Code applies to online services that are:

• Intended for use by children (i.e., children’s video game platform); or
• The service is not aimed at children, but a “significant number of children” access the service. Importantly, even if you specify in your terms of service that the service is not aimed at children and that children should not access your service (i.e., you offer an adult only service), the Code will still apply if children (under 18s) access your service.

What is a “significant number of children”?

The ICO states that “significant” “does not mean that many children must be using the service or that children form a substantial proportion of your users”, rather it means there are more than a “de minimis or insignificant number of children using the service”.

In establishing whether the number of children accessing the service is significant, the ICO has provided some examples of factors that can be considered by the organisation when carrying out the assessment, such as:

• Actual evidence indicating that children use the service, such as statistics, analytics, market research, whether advertisements may appeal to children and complaints received about children using the service; and
• Other relevant evidence such as business reporting indicating that children are a potential audience, independent research or any advertising targeted at children.

How can organisations demonstrate that they have assessed the above?

The primary mechanism recommended for documenting such an assessment is a Data Protection Impact Assessment. The ICO recommends that the assessment should consider each of the factors on its list of example measures.

Importantly, even if you decide that the Code does not apply to your service, the ICO still expects that you document your reasoning for such a decision.

Additionally, if you have determined that the Code does not apply to your service, you should ensure you have your internal metrics collated and available for inspection by the regulator to support this conclusion. If a regulator receives complaints about children using your service or relies upon anecdotes from press reports for example, it will be important to have evidence to the contrary available for rebuttal. This evidence should be kept up to date and be subject to ongoing review.

What is the status of the guidance?

The content of the draft guidance is currently being consulted on, with feedback to be submitted by stakeholders by 19 May 2023. The ICO will review any feedback which it has received during the consultation and subsequently issue its updated guidance.

If you have questions about the Code, please contact Orrick’s Cyber, Privacy & Data Innovation Group.