Privacy & Information Security Law Blog

On May 31, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted comments to the UK Information Commissioner’s Office (the “ICO”) public consultation on its draft code of practice for age appropriate design for online services (the “Code”).

As we previously reported, the Code was published in accordance with the ICO’s obligation under section 123 of the Data Protection Act 2018 to prepare a code of practice on standards of age appropriate design of online services likely to be accessed by children.

In responding to the consultation, CIPL pointed to some key and strategic areas relevant to the Code’s overall structure and direction. In particular, CIPL believes that the Code should:

• not extend to cover services that are not offered to or intended for children, and which children are not likely to access;
• reflect the risk-based approach enshrined in the GDPR as not all processing of personal data relating to children raises the same levels of risk;
• recognize the need to implement age verification mechanisms only when the service is directed to children;
• recognize the developing autonomy of young people and avoid imposing requirements that have the effect of treating older teenagers as children;
• provide a flexible and adaptable set of requirements in relation to the provision of privacy disclosures depending on the age category of the children;
• further consider the benefits linked to geolocalization and personalization of content in the context of online services likely to be accessed by children;
• be legally robust and not exceed the ICO’s statutory mandate in order to avoid possible legal challenges in the future; and
• clarify the role data protection impact assessments may play in the context of processing personal data in order to provide online services likely to be accessed by children—namely, by integrating proportionality considerations and limiting the impact assessment to the privacy of individuals and their related rights and freedoms.

Although there is real time and political pressure for the ICO to deliver on the requirements of the UK Data Protection Act 2018 and to present this Code to the British Parliament, CIPL believes that the Code would benefit from further constructive engagement with industry to ensure a robust and proportionate approach, which can be implemented to the benefit of individuals and information society service providers.

To read more about the points above, along with all of CIPL’s other recommendations regarding the Code, please see the full paper.