“Children are better protected online in 2022 than they were in 2021” – ICO marks anniversary of Children’s code

The ICO is marking the anniversary of the groundbreaking Children’s code, that has changed how children are treated online.

The Children’s code was fully rolled out in September 2021, requiring online services including websites, apps and games to provide better privacy protections for children, ensuring their personal data is protected within the digital world.

In the past year, the ICO’s action has prompted changes by social media platforms, gaming websites and video streaming services.

Changes include targeted and personalised ads being blocked for children, children’s accounts set to private by default, adults blocked from directly messaging children and notifications turned off at bedtime.

The code has also had an international effect, inspiring reviews of children’s privacy protections in California, Europe, Canada and Australia.
Information Commissioner John Edwards said:

“We’ve seen real changes since the Children’s code came into force a year ago. These changes come as a result of the ICO’s action enforcing the code, making clear to industry the changes that are required.

“The result is that children are better protected online in 2022 than they were in 2021.

“This code makes clear that children are not like adults online, and their data needs greater protections. We want children to be online, learning, playing and experiencing the world, but with the right protections in place to do so.

“There’s more for us to achieve. We are currently looking into a number of different online services and their conformance with the code as well as ongoing investigations. And we’ll use our enforcement powers where they are required.”

Positive changes seen over the past year

The code has been instrumental in behaviour change of big tech platforms and smaller online services. Some changes we have observed over the past year include:

  • Facebook and Instagram has limited targeting to age, gender, and location for under-18s. Both Facebook and Instagram ask for people’s date of birth at sign up, preventing them from signing up if they repeatedly entered different dates, and disabling accounts where people can’t prove they’re over 13. Instagram also launched parental supervision tools, along with new features like Take A Break to help teens manage their time on the app.
  • YouTube has turned off autoplay by default and turned on take a break and bedtime reminders by default for Google Accounts for under 18s.
  • Google has enabled anyone under 18 (or their parent/guardian) to request to remove their images from Google image search results, location history cannot be enabled by Google accounts of under 18s and they have expanded safeguards to prohibit age-sensitive ad categories from being shown to these users.
  • Nintendo only allows users above 16 years-of-age to create their own account and set their own preferences.

The code applies to any service being used by children living in the UK, and we have seen changes by companies around the world. We have also seen other countries strengthening the protections they provide for children, inspired by our work. These include the recently proposed California Age Appropriate Design Code Bill, which uses the ICO’s Children’s code as a template, while Unicef are looking at how protections can be brought in globally.

Organisations providing online services and products likely to be accessed by children must abide by the code or face tough sanctions. The ICO are currently looking into how over 50 different online services are conforming with the code, with four ongoing investigations. We have also audited nine organisations and are currently assessing their outcomes.

Next steps

We will continue to evolve our approach, listening to others to ensure the code is having the maximum impact.

For example, we have seen an increasing amount of research (from the NSPCC, 5Rights, Microsoft and British Board of Film Classification), that children are likely to be accessing adult-only services and that these pose data protection harms, with children losing control of their data or being manipulated to give more data, in addition to content harms. We have therefore revised our position to clarify that adult-only services are in scope of the Children’s code if they are likely to be accessed by children.

As well as engaging with adult-only services directly to ensure they conform with the code, we will also be working closely with Ofcom and the Department for Digital, Culture, Media and Sport (DCMS) to establish how the code works in practice in relation to adult-only services and what they should expect. This work is continuing to drive the improvements necessary to provide a better internet for children.

Related posts

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.