The UK Information Commissioner’s Office (“ICO”) recently published detailed draft guidance on what “likely to be accessed” by children means in the context of its Age-Appropriate Design Code (“Code”), which came into force on September 2, 2020. The Code applies to online services “likely to be accessed by children” in the UK. “Children” are individuals under the age of 18. In order to determine whether an online service is “likely to be accessed” by children, companies must assess whether the nature and content of the service has “particular appeal for children” and “the way in which the service was accessed”. This new draft guidance provides further assistance on how to make this assessment, and is undergoing a public consultation until May 19, 2023.
The draft guidance reiterates that the Code applies both to:
- services that are not intended for use by under-18s, but are nonetheless likely to be used by them; and
- services that are aimed at children.
The draft guidance focuses on the measures that “adult-only” services (i.e., those not intended for use by under-18s) could take to ensure they are not likely to be accessed by under-18s, taking them out of scope of the Code.
In particular, it clarifies:
- Adult-only services must look at the available evidence to determine whether it is likely to be accessed by children. The ICO provides a non-exhaustive list of factors that providers must take into account, along with some detailed use cases explaining how they might apply. The factors to be considered include:
- information about the actual ages of users, which the ICO suggests could come directly from those users or through other sources, including “age-profiling tools”;research (internal or external) about the actual or likely ages of users of similar services. For example, the ICO states that research showing that under-18s play one type of video game could indicate that under-18s will also be likely to access similar games. The guidance also provides the example of online dating sites, suggesting that market research might indicate that there are a significant number of active under-18 users;the prevalence of advertising aimed at children on the service;the content available on the site, and whether that content appeals to children. The guidance uses the example of a social media platform hosting manga cartoons, images with bright colors, emojis, and live video-game streaming, which may be more appealing to children; and
- how the service is marketed.
This assessment should be kept under review, and providers must comply with the Code if it becomes clear that “a significant number of children are in fact accessing [the] service”.
- Services that have age-gating pages that prevent under-18s from accessing the service are not covered by the Code, provided that they are effective. However, the ICO notes that a simple self-declaration of age is “unlikely” to be an effective way of restricting access to over-18s. The guidance does not provide detailed guidance on what would be “effective” age-gating, merely giving the example of a website offering adult content that uses “robust age assurance methods through several third-party technological solutions”. See our previous blog on EU and UK developments on age verification here.
- Providers should document their decisions about whether their services are likely to be accessed by children, and what steps they have chosen to take as a result of that decision (e.g., whether and how to age-gate the service, or how it will comply with the Code).
Covington’s Data Privacy and Cybersecurity Team will continue to monitor these developments. Our team is happy to assist with any inquiries relating to age verification and children’s privacy.