ICO’s new draft guidance on “likely to be accessed by children” under the Age Appropriate Design Code
When will an online service fall within the scope of the Age Appropriate Design Code?
The key takeaway
Assessing whether an online service is likely to be accessed by children is a continuous exercise. A service that at the outset did not fall within the scope of the Code, due to an insignificant number of children accessing the service, may find itself in scope.
The Age Appropriate Design Code (also known as the “Code” or the “Children’s Code”) came into force on 2 September 2020 with the aim of ensuring that providers of online services “likely accessed by children”, comply with their duties and responsibilities under different data protection laws, such as UK GDPR and The Data Protection Act 2018 (the Act), to protect children’s personal data online.
The Code applies to “information society services likely accessed by children”, meaning “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. This includes social media platforms, online marketplaces, online messaging platforms and search engines.
In September 2022, the ICO published draft guidance which included FAQs, a list of factors and case studies, to assist Information Society Service (ISS) providers in assessing whether children are likely to access their services, after making it clear that adult-only services may fall within scope of this Code.
Under the ICO guidance, all ISS providers must determine whether children are likely to access their services, which includes adult-only services, services aimed at children and services that are not intended to be used by children but are accessed or are likely to be accessed by a “significant number of children” or individuals under the age of 18 years (ICO guidance provides that the actual identity of under 18s does not need to be established).
The “significant number of children” phrase stipulates that the ISS provider must determine whether “more than a de minimis or insignificant number” of children are likely to access the service provided, thus children must form a material group of users or likely users.
When a provider uses an age-gating page to restrict access by children, the page itself does not fall within scope, if the age-gating page is effective, robust and an extension of the adult site (however, this page must nevertheless be compliant with data protection legislation).
A list of non-exhaustive factors should be used by the ISS provider to determine whether the services are likely to be accessed by children, these include:
- the number of child users in absolute terms, or the proportion of all UK users or the proportion of all children in the UK that the child users of the service represent
- evidence of user behaviour
- information on the likely appeal of advertisements in use
- information about complaints received regarding children accessing the service
- content, design features and activities, which might draw children’s attention
- research – public or commissioned independently
- understanding whether children are accessing services similar in nature and content, and
- whether the way the services are marketed, described, and promoted targets under 18s.
If the ISS provider concludes that children are likely to access the service and such service is not appropriate for children, the provider should apply age assurance measures to restrict access or ensure that services comply with the Children’s Code in a “risk-based and proportionate manner”.
Why is this important?
Although this guidance is in draft form and undergoing consultation, it is helpful for ISS providers when determining whether the services provided are “likely to be accessed by children”. When finalised, this will be a welcome guidance for providers, who previously may have found it difficult to ascertain whether services fall in scope, given the lack of guidance in this area.
Any practical tips?
Every ISS provider should determine whether children are likely to access the services using the non-exhaustive list of factors prepared by the ICO.
Where an ISS provider determines that children are not likely to access the services provided, the provider should document the decision and provide evidence. The ICO provides several examples, which include “market research, current evidence on user behaviour, the user base of similar or existing services and service types and testing of access restriction measures”.
Assessing whether children access the services should be an ongoing exercise. Although it may seem that children are unlikely to access a service, or if it is found that in fact a “significant number of children” are accessing the service, the Code will apply. The Code also applies to new and existing services
Simply stating in the terms of service section that individuals under the age of 18 should not access the service does not excuse the ISS provider from complying with the Code, when in reality, children access the service. As mentioned by the ICO, a self-declared age assurance method may not be effective in restricting children’s access to content which is not children appropriate
If services are offered to children, a data protection impact assessment (DPIA), must be carried out and such should consider each factor from the non-exhaustive list provided by the ICO.