On 2 September 2021, the transition year for the Children’s code (or Age Appropriate Design Code) published by the UK Information Commissioner (“ICO”) ended. The ICO’s Children’s code was first published in September 2020, with a 12-month transition period. In an accompanying blog, the ICO has stated that it will be “proactive in requiring social media platforms, video and music streaming sites and the gaming industry to tell [the ICO] how their services are designed in line with the code.”

Over the summer, the ICO has also approved two certification schemes under the UK GDPR. The certification schemes provide organizations with a mechanism to demonstrate their high level of commitment to data protection compliance.

The schemes were developed by Age Check Certification Scheme (“ACCS”), and outlines the criteria for: (i) age assurance products (see here); and (ii) age appropriate design of information society services based on the Children’s code (see here).

  • Age Assurance (ACCS-2): This scheme sets out the technical requirements for age-checking services, such as Proof-of-Age ID providers, Age Check Providers, Age Exchange Service Providers, Electronic ID Validation Services, and Analytical and Profiling Services.
  • Children’s Online Privacy (ACCS-3): This scheme sets out the technical requirements that organizations subject to the Children’s code could comply with to demonstrate compliance with the Children’s code.

The above-mentioned certification schemes work hand in hand, so that organizations could obtain certifications under both schemes to demonstrate compliance with the Children’s code. Organizations seeking certification under these schemes may do so by directly applying to the certification body, the ACCS. Achieving certification will generally require the following:

  • Defining the scope of the certification e.g. specifying the product, process or service for assessment and certification (as set out in Section 1 of the certification schemes);
  • Mapping the data processing operations associated with the relevant product, process or services; and
  • Payment of a fee to the ACCS to conduct audits and testing to ensure that the product, process or service meets the scheme criteria.

If an organization meets the certification scheme criteria, ACCS will issue a certificate and allow the organization to use and display a specific mark to demonstrate that it has achieved certification. Certification is voluntary but it can help organizations to achieve a competitive advantage, demonstrate compliance with the UK GDPR, show transparency and accountability, instill trust and confidence in customers, and improve the standards of the organization. The certification only applies to products, processes or services that are established in the UK, or, if established outside the UK, are offered to individuals in the UK / monitors the behavior of individuals in the UK.

The ICO’s Children’s code is consistent with and referred to in both the Irish Data Protection Commission’s draft Fundamentals for a Child-Oriented Approach to Data Processing (see our blog here) and the French CNIL’s Recommendations for Protecting Minors Online (see our blog here).

Print:
EmailTweetLikeLinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws…

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws, as well as associated information technology and e-commerce laws and regulations. Mr. Cooper also regularly counsels clients with respect to Internet-related liabilities under European and US laws. Mr. Cooper sits on the advisory boards of a number of privacy NGOs, privacy think tanks, and related bodies.

Photo of Mark Young Mark Young

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He…

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He has been recognized in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field.” Recent editions note that he is “deeply knowledgeable in the area of privacy and data protection,” “fast, thorough and responsive,” and has “great insight into the regulators.”

Mr. Young has over 15 years of experience advising global companies, particularly in the technology, health and pharmaceutical sectors, on all aspects of data protection and security. This includes providing practical guidance on analyzing and using personal data, transferring personal data across borders, and potential liability exposure. He specializes in advising in relation to new products and services, and providing strategic advice and advocacy on a range of EU law reform issues and references to the EU Court of Justice.

For cybersecurity matters, he counsels clients on practices to protect business-critical information and comply with national and sector-specific regulation, and on preparing for and responding to cyber-based attacks and internal threats to their networks and information. He has helped a range of organizations respond to cyber and data security incidents – including external data breaches and insider theft of trade secrets – through the stages of initial detection, containment, notification, recovery and remediation.

In the IP enforcement space, Mr. Young represents right owners in the sport, media, publishing, fashion and luxury goods industries, and helps coordinate a team of internet investigators that has nearly two decades of experience conducting global notice and takedown programs to combat internet piracy.

Jiayen Ong

Jiayen Ong is a Trainee Solicitor who attended Queen Mary, University of London.