Earlier this year, the ICO published an evaluation report on the Children’s Code. The evaluation report was produced as part of the ICO’s efforts for assessing the impact of the Children’s Code (the Code) after the end of the Code’s transition phase on 2 September 2021.
It is clear from the evaluation report that the implementation of the Code remains a top priority for the ICO. The ICO highlights that the Code has set the tone for children’s privacy rights across different jurisdictions and has led to large online providers implementing measures to make their services more suitable for children. The evaluation report states that a future focus for the ICO might be conformity with the Code by small and medium-sized enterprises (SMEs), and also states that the most common suggestion received by respondents was “more robust and purposeful” enforcement activity.
The ICO states that as part of the evaluation report, the ICO assessed over 50 organisations for compliance with the Code and audited 10 online services. At the time of issuing the evaluation report, it also had 11 open investigations.
Catalyst for Change
In its summary document titled “Key Messages From the Children’s Code Evaluation”, the ICO concludes that the Code has been “a catalyst for change” because it has been at the forefront of the current global trend towards tackling children’s data issues.
Regulatory changes – The Code has been used as a point of reference for other countries that have focused their attention on children’s privacy and adopted legislation and regulatory guidance aimed at increasing protection for children online, including California (Age-Appropriate Design Code Act), Australia (the attorney general’s department is recommending the development of a children’s code based on the UK Code) and Ireland (the Irish regulator has recently issued guidance on the fundamentals for data processing in a child-oriented way).
Industry changes – The evaluation report cites Facebook’s and Instagram’s restrictions on targeted advertising for users under 18, and Instagram’s parental supervision features and time management tools like “Take a Break”, as changes flowing from the introduction the Code. The ICO also refers to YouTube’s introduction of default take-a-break and bedtime reminders for 13- to 17-year-olds, and TikTok’s decision to have accounts of users under 16 set to private, as default as measures adopted to improve online child safety, stemming from the introduction of the Code.
Compliance costs – The ICO states that, although business have incurred costs as part of adopting the Code, these costs have fallen over time, and businesses acknowledged benefits linked to the Code, including marketing opportunities. However, the ICO also recognises that the Code is not yet fully implemented by businesses and that there is more work to be done, as levels of familiarity with the Code are still low.
Certification schemes – To date, the ICO has approved two certification schemes relating to children’s privacy – the Age Check Certification Scheme and the Age Appropriate Design Certification Scheme. However, as of February 2023, only five organisations had received certifications under these schemes, although others are working through the certification process.
Next steps – It is worth noting that the evaluation report states that the implementation of the Code by SMEs at the start – and as an integral part – of operations (privacy by design) is an area of focus for potential future work for the ICO.
Perhaps even more importantly, the ICO states that more robust and purposeful enforcement activity by the ICO was the most common suggestion to encourage changes in the industry, with one respondent reporting, “The industry is refusing to act, citing lack of clarity about their obligations. More than anything, the common perception in the industry is that there will be no consequences for non-compliance and that serious enforcement will not happen.”
In respect of certification schemes, the ICO states that it is working to remedy low levels of awareness and highlights the schemes as “trailblazing” and leading the way in Europe, as well as globally, on data protection authority approved schemes.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.