The ICO's Age Appropriate Design Code (also known as the Children's Code) comes into force in just six months (2 September 2021). The Code contains 15 standards and providers are expected to build these standards into the design of their services regarding the processing of the personal data of children. These standards include:
- providing privacy settings that are high by default;
- switching off geo-location services that can reveal a child’s location to the world; and
- not using nudge techniques and notifications to encourage children to provide more personal data.
Many organisations will still have a lot to do to ensure their services comply with these standards by September. It should be borne in mind that this is a statutory code, which means the ICO would consider whether a provider has complied with the Code in deciding whether it is compliant with data protection law. For example, if the ICO was considering a complaint that a provider had breached data protection laws, such as not being fair in its processing of children's data, they would use the Code as a guide for expected standards for compliance. Therefore, all of the applicable high potential fines and enforcement powers that exist under UK GDPR are relevant here, but there aren't separate fines for the Code specifically.