The ICO is marking the anniversary of the groundbreaking Children’s code, that has changed how children are treated online.
The Children’s code was fully rolled out in
In the past year, the ICO’s action has prompted changes by social media platforms, gaming websites and video streaming services.
Changes include targeted and personalised ads being blocked for children, children’s accounts set to private by default, adults blocked from directly messaging children and notifications turned off at bedtime.
The code has also had an international effect, inspiring reviews of children’s privacy protections in California, Europe, Canada and Australia.
Information Commissioner John Edwards said:
“We’ve seen real changes since the Children’s code came into force a year ago. These changes come as a result of the ICO’s action enforcing the code, making clear to industry the changes that are required.
“The result is that children are better protected online in 2022 than they were in 2021.
“This code makes clear that children are not like adults online, and their data needs greater protections. We want children to be online, learning, playing and experiencing the world, but with the right protections in place to do so.
“There’s more for us to achieve. We are currently looking into a number of different online services and their conformance with the code as well as ongoing investigations. And we’ll use our enforcement powers where they are required.”
Positive changes seen over the past year
The code has been instrumental in behaviour change of big tech platforms and smaller online services. Some changes we have observed over the past year include:
- Facebook and Instagram has limited targeting to age, gender, and location for under-18s. Accounts for users under 13-years-of-age are deleted upon detection. Both Facebook and Instagram ask users to share their birthday with the platform if they haven’t shared it previously. Access is also restricted for people who repeatedly enter different birthdays and accounts are removed if they cannot prove they meet age requirements.
- YouTube has turned off autoplay by default and turned on take a break and bedtime reminders by default for Google Accounts for under 18s.
- Google has enabled anyone under 18 (or their parent/guardian) to request to remove their images from Google image search results, location history cannot be enabled by Google accounts of under 18s and they have expanded safeguards to prohibit age-sensitive ad categories from being shown to these users.
- Nintendo only allows users above 16 years-of-age to create their own account and set their own preferences.
The code applies to any service being used by children living in the UK, and we have seen changes by companies around the world. We have also seen other countries strengthening the protections they provide for children, inspired by our work. These include the recently proposed California Age Appropriate Design Code Bill, which uses the ICO’s Children’s code as a template, while Unicef are looking at how protections can be brought in globally.
Organisations providing online services and products likely to be accessed by children must abide by the code or face tough sanctions. The ICO are currently looking into how over 50 different online services are conforming with the code, with four ongoing investigations. We have also audited nine organisations and are currently assessing their outcomes.
We will continue to evolve our approach, listening to others to ensure the code is having the maximum impact.
For example, we have seen an increasing amount of research (from the NSPCC, 5Rights, Microsoft and British Board of Film Classification), that children are likely to be accessing adult-only services and that these pose data protection harms, with children losing control of their data or being manipulated to give more data, in addition to content harms. We have therefore revised our position to clarify that adult-only services are in scope of the Children’s code if they are likely to be accessed by children.
As well as engaging with adult-only services directly to ensure they conform with the code, we will also be working closely with Ofcom and the Department for Digital, Culture, Media and Sport (DCMS) to establish how the code works in practice in relation to adult-only services and what they should expect. This work is continuing to drive the improvements necessary to provide a better internet for children.
Notes to editors
- For further information on the Children’s code, please visit our website: https://ico.org.uk/childrenscode
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the UK General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
- The Government included provisions in the Data Protection Act 2018 to create world-leading standards that provide proper safeguards for children when they are online.
- As part of that, the ICO is required to produce an age-appropriate design code of practice to give guidance to organisations about the privacy standards they should adopt when offering online services and apps that children are likely to access and which will process their personal data. (A link to the Parliamentary debate, led by Baroness Kidron, is here.)
- The first draft of the code went out to consultation in April 2019. It was informed by initial views and evidence gathered from designers, app developers, academics and civil society. You can read the responses here.
- The ICO also sought views from parents and children by working with research company Revealing Reality. The findings from that work are here.
- To report a concern to the ICO, go to ico.org.uk/concerns.