ICO: The Children's code and education technologies

The Children’s code, officially known as the Age-appropriate design code, was issued by the ICO – according to whom children are “using an internet that was not designed for them”. The code contains 15 standards that online services need to follow to ensure they comply with their data protection obligations. Providers need to consider the Children’s code if children are likely to use the service, even if they are not the target audience. Although there have been no changes to the code itself, the ICO recently clarified the way in which it applies to providers of educational technology (edtech) services.

Clarification as to when the code applies to edtech service providers

Following this guidance, the ICO has provided further clarification on when edtech providers are classed as Information Society Service (ISS) providers, and therefore subject to the requirements of the code. An ISS is defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. It should be noted that the code applies even if the service is provided on a non-profit basis as most similar services are provided on a for-profit basis, and the ICO considers therefore that non-profit edtech services constitute “normally provided for remuneration” as per the ISS definition.

Schools themselves do not fall under the ISS definition so are not subject to the code. There are two scenarios in which edtech service providers will be subject to the code:

• Where the edtech services are likely to be accessed by children on a direct-to-consumer basis
• Where the edtech services are provided through a school and the edtech provider determines the purpose of the processing of children’s personal information

From a data protection perspective, edtech service providers are controllers in their own right if they use the personal data of children for their own purposes (for example marketing, advertising, or research).

When does the code not apply to edtech service providers?

In order for the code not to apply, all of the following criteria must be met:

• The edtech service is not accessed on a direct-to-consumer basis.
• The provider only processes the information to fulfil the school’s public tasks and educational functions as determined by the school.
• The provider acts solely on the instructions of the school and does not process the information in any other form beyond these instructions.

In these circumstances the provider is a digital extension of the school’s offline activities, and the use of children’s personal information is limited solely to the school’s educational purposes. It is likely that the edtech provider would be factually acting as a processor in this situation.

Regardless of whether the code applies, edtech providers are still subject to the requirements of data protection and e-privacy legislation.

The standards are briefly summarised as follows:

1. Best interests of the child – this should be a primary consideration when designing online services likely to be accessed by a child.
2. Data protection impact assessments – assess and mitigate risks to the rights and freedoms of children who are likely to access your service.
3. Age appropriate application – take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users.
4. Transparency – the privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child.
5. Detrimental use of data – do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing.
6. Policies and community standards – uphold your own published terms, policies and community standards.
7. Default settings – settings must be "high privacy" by default.
8. Data minimisation – collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged.
9. Data sharing – do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
10. Geolocation – switch geolocation options off by default.
11. Parental controls – if you provide parental controls, give the child age appropriate information about this.
12. Profiling – switch options which use profiling "off" by default.
13. Nudge techniques – do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
14. Connected toys and devices – if you provide a connected toy or device ensure you include effective tools to enable conformance to this code.
15. Online tools – provide prominent and accessible tools to help children exercise their data protection rights and report concerns.

Our commercial team has extensive experience advising business on data protection and we would be happy to answer any questions you may have.