UK Proposes Substantial Expansion of Online Privacy Protections for Children

Privacy & Cybersecurity Update

Date: January 30, 2020

Key Notes:

  • New UK children’s privacy law overhauls current requirements.
  • Law covers UK children under 18 and goes beyond “notice and consent.”
  • Law sets out 15 design standards, reflecting a risk-based approach.

Children’s privacy always has been a tricky proposition: the law and regulations affecting marketing to children, tweens and teens long has been a patchwork of overlapping rules and the consequences of missing the mark – both legally and in brand and reputation aspects – have been serious. The situation is about to get even more complicated, particularly for businesses that interact with European consumers.

On January 21, 2020, Britain’s Information Commissioner’s Office (ICO) published the final version of its Age Appropriate Design Code (Code). The Code is a set of new rules that, if adopted, would require businesses that use or offer social networks, apps, connected toys and other online services likely to be used by children to review and revamp how they handle children’s personal information. The Code is more sweeping than the U.S. Children's Online Privacy Protection Act (COPPA), both in what it requires and whom it covers. As you may be aware, COPPA only applies to online services aimed at children under 13 and generally requires “notice and consent” to provide those services. The Code’s reach is broader, covering online services targeted to U.K. children under 18 and affecting many more operational and design aspects.

The Code sets out 15 standards, reflecting a risk-based approach to protecting children’s personal data. Importantly, the standards are not meant to be technical requirements, but rather “technology-neutral design principles and practical privacy features.” The ICO emphasizes that different services will require different technical solutions to comply.

The standards require that companies offering services to children under 18 must:

  1. Consider the best interests of the child in designing services;
  2. Complete a data protection impact assessment to account for and mitigate potential risks;
  3. Consider the likely age range of children who will use the services;
  4. Clearly communicate privacy practices;
  5. Refrain from using personal data in a way that could be detrimental to children;
  6. Uphold the company’s published terms and community standards;
  7. Institute default settings that strongly protect privacy;
  8. Minimize data collected;
  9. Refrain from disclosing data without a compelling reason;
  10. Deactivate geolocation technology (i.e., tracking) by default;
  11. Explain any use of parental controls;
  12. Deactivate by default those options which use profiling (automated processing of data to analyze or predict behavior);
  13. Not use “nudge techniques” to lead or encourage children to provide unnecessary data or weaken privacy settings;
  14. Ensure connected toys and devices comply with the Code; and
  15. Provide tools to help children exercise their rights and report concerns.

Effective Date and Enforcement

The Code, which soon will be submitted to Parliament, is expected to become effective several months after it is received. It is anticipated that, once effective, companies will have a year’s grace period to get up to speed, meaning that companies should be prepared to be fully compliant by early to mid-2021. Companies failing to comply with the Code face potential warnings, formal reprimands, stop orders and fines.

Next Steps

Firms offering online services in the U.K. and targeted to individuals under the age of 18 should assess current practices, conduct a meaningful data protection impact assessment, and determine what changes must be made to comply with the Code. The ICO expects affected companies to, at a minimum, institute an accountability program tailored to the nature of their business, adopt appropriate data protection policies and procedures, train employees on data practices, keep records of data processing activities, and be prepared to demonstrate compliance with the Code. We will continue to track this new regulation as well as any additional guidance on compliance, and we will be sure to keep you informed.


For more information, please contact:

Thomas F. Zych

Mona Adabi

Darcy M. Brosky

Craig A. Foster

Brian Doyle-Wenger

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.