On 2 September 2021, the transition year for the Children’s code (or Age Appropriate Design Code) published by the UK Information Commissioner (“ICO”) ended. The ICO’s Children’s code was first published in September 2020, with a 12-month transition period. In an accompanying blog, the ICO has stated that it will be “proactive in requiring social media platforms, video and music streaming sites and the gaming industry to tell [the ICO] how their services are designed in line with the code.”
Over the summer, the ICO has also approved two certification schemes under the UK GDPR. The certification schemes provide organizations with a mechanism to demonstrate their high level of commitment to data protection compliance.
The schemes were developed by Age Check Certification Scheme (“ACCS”), and outlines the criteria for: (i) age assurance products (see here); and (ii) age appropriate design of information society services based on the Children’s code (see here).
- Age Assurance (ACCS-2): This scheme sets out the technical requirements for age-checking services, such as Proof-of-Age ID providers, Age Check Providers, Age Exchange Service Providers, Electronic ID Validation Services, and Analytical and Profiling Services.
- Children’s Online Privacy (ACCS-3): This scheme sets out the technical requirements that organizations subject to the Children’s code could comply with to demonstrate compliance with the Children’s code.
The above-mentioned certification schemes work hand in hand, so that organizations could obtain certifications under both schemes to demonstrate compliance with the Children’s code. Organizations seeking certification under these schemes may do so by directly applying to the certification body, the ACCS. Achieving certification will generally require the following:
- Defining the scope of the certification e.g. specifying the product, process or service for assessment and certification (as set out in Section 1 of the certification schemes);
- Mapping the data processing operations associated with the relevant product, process or services; and
- Payment of a fee to the ACCS to conduct audits and testing to ensure that the product, process or service meets the scheme criteria.
If an organization meets the certification scheme criteria, ACCS will issue a certificate and allow the organization to use and display a specific mark to demonstrate that it has achieved certification. Certification is voluntary but it can help organizations to achieve a competitive advantage, demonstrate compliance with the UK GDPR, show transparency and accountability, instill trust and confidence in customers, and improve the standards of the organization. The certification only applies to products, processes or services that are established in the UK, or, if established outside the UK, are offered to individuals in the UK / monitors the behavior of individuals in the UK.
The ICO’s Children’s code is consistent with and referred to in both the Irish Data Protection Commission’s draft Fundamentals for a Child-Oriented Approach to Data Processing (see our blog here) and the French CNIL’s Recommendations for Protecting Minors Online (see our blog here).