The UK’s Information Commissioner’s Office has issued guidance on the scope of age appropriate design code, and they want public comment. This is very important for companies subject to the already passed California Age Appropriate Design Code, and those who could be covered in the future by copy-cat state bills.
Likely to access:
- You must decide whether children are likely to access your service, even if you run an adult-only service.
- The code applies both to services that are intended for use by children, and to services that are not aimed at children, but are accessed by a “significant number of children.”
- Even if you state in your terms of service that under 18s should not access your service, you still fall within scope of the code if children access your site in practice.
- If you have an existing service and children form a substantive and identifiable user group, the ‘likely to be accessed by’ definition will apply.
- If you decide that your service is not likely to be accessed by children and that you are therefore not going to implement the code, then you should document and support the reasons for your decision. You may wish to refer to market research, current evidence on user behavior, the user base of similar or existing services and service types, and testing of access restriction measures.
- If you initially judge that the service is not likely to be accessed by children, but evidence later emerges that a significant number of children are in fact accessing your service, you will need to conform to the standards.
Significant Number of Children:
- A “significant number of children” means that the number of children accessing or likely to access your service is material.
- “Significant” in this context does not mean that a large number of children must be using the service or that children form a substantial proportion of your users. It means that there are more than a de minimis or insignificant number of children using the service.
- If a significant number of children are likely to access your service, you should conform with the standards of the code, or apply robust age-based access restrictions.
Your age-gating page will not be within scope of the code if:
- you use it to ensure that children are not accessing your adult site.
- the measures are robust and effective and therefore prevent under 18s accessing the service
- it is not an extension of your adult site (e.g. the age-gating page doesn’t allow access to parts of your adult site before age assurance occurs.)
You must ensure that your age-gating page is compliant with data protection legislation. In particular, you must process children’s personal information to ascertain their age transparently and fairly. You also need to ensure the age-gating page complies with e-privacy legislation, including only using strictly necessary cookies.
It is unlikely that a self-declaration age assurance method is an effective way to restrict access to this type of content.
Factors to consider when determining whether children are likely to access your website (This is a non- exhaustive list):
- You should consider each of the factors in turn, along with any others that could be relevant, to ensure you have fully assessed whether children are likely to access your service.
- Failure to consider the whole list, and to adequately assess whether children are in fact likely to access your service, risks non-compliance with your accountability requirements.
- Manga cartoon videos, imaged bright colours, emojis and the live streaming of users playing video games (including video games known to be popular with children) are considered to be content that applies to children per Civil society and academic research.
- If you operate an existing adult-only service, should you still carry out an assessment of whether children are likely to access it? Yes. And you should concentrate on ensuring that children are prevented from accessing your service, rather than seeking to apply the standards of the code.
- If children are accessing the service, you must consider whether their personal information may be processed through third party cookie data sharing and profiling based on how the person engages with the content.