The Children’s code (or the age-appropriate design code) contains 15 standards that online service providers need to follow.
Websites and products affected by the Children's code need to provide additional layers of protection for children’s data. This might involve restricting or removing certain features for children if they’re under 18. Some of the things you might see are:
- privacy settings being automatically set to very high;
- children and their parents/carers being given more control of the privacy settings;
- non-essential location tracking being switched off;
- children no longer being ‘nudged’ by sites through notifications to lower their privacy settings; and
- clearer and more accessible tools being in place to help children exercise their data protection rights (including parental consent tools).
If children are likely to access your service, even if they are not your target audience or user, then you need to consider the Children’s code.
The Children’s code does not apply to schools and educational and training institutions processing the information of people under the age of 18 for the purposes of education. However, the Children’s code may apply to providers of EdTech used in schools.
EdTech providers are in scope of the code if they process personal information beyond the instructions of a school, and determine why and how personal information is processed. The code applies even where you provide the direct-to-consumer EdTech service on a non-profit basis.
The code also applies to EdTech services provided to children through a school, where the EdTech provider influences the nature and purpose of the processing of children’s personal information. Though schools themselves are not caught, an EdTech service used within a school environment may still meet the criteria of an Information Society Service (and may be required to comply with the code).
The code does not apply to EdTech providers where all the following criteria are met:
- the EdTech service is not accessed on a direct-to-consumer basis;
- the EdTech provider only processes children’s personal information to fulfil the school’s public tasks and educational functions (as determined by the school); and
- the EdTech provider acts solely on the instruction of the school and does not process children’s personal information in any other form beyond these instructions.
Both schools and EdTech providers will want to ensure they have accurately described their roles and responsibilities as data controllers and data processors: each identifying their relevant lawful basis for processing children's data. Where EdTech services are made available to children through a school, schools will want to ensure their contracts and the EdTech's service level agreements address compliance with the Children's code.