Search for:

In brief

We have arrived at a tipping point. Policy makers, consumers, technologists and regulators are in agreement ā€” the internet was not designed with children in mind. Lawmakers have come to the conclusion that new regulations are needed to support the online protection and flourishing of children and young people. This has prompted the recent proliferation of codes, laws, bills and regulatory guidance documents aimed at governing how online service providers must interact with young people. Key examples are the UK Age-Appropriate Design Code (ā€œUK Codeā€) and the California Age-Appropriate Design Code Act (ā€œCalifornia Codeā€). Youth protection measures have also been adopted or are progressing in Ireland, the Netherlands, the Peopleā€™s Republic of China, Argentina, Utah, Arkansas, Oregon, New Jersey, Minnesota, Illinois, Maryland and other jurisdictions.


Contents

  1. Who must comply?
  2. Form and substance of the Codes
  3. The best interests of the child
  4. Data protection impact assessments
  5. Recommendations

Lawmakers share the goal of protecting young people from harm. But the laws that jurisdictions enact often pursue their objectives in different ways, such as by establishing different age thresholds around whom the laws protect, different criteria regarding who must comply, disparate roles for parents and their children, and dissimilar standards to which companies must adhere. The UK Code, which one of the authors of this article architected and implemented, has been in force since 2021. The California Code is modeled on the UK Code and comes into force on 1 July 2024. These two instruments follow similar principles. And they vary in subtle but important ways. We outline below some of these differences and similarities, before offering recommendations for companies faced with an uncertain childrenā€™s privacy landscape around the world.

Who must comply?

The UK and California Codes are focused on providers of online services that are ā€œlikely to be accessed by children,ā€ which both codes define to mean essentially any online service that is directed to children under 18, appealing to children, or actually used by a significant number of children. The UK Code applies to information society services irrespective of their size or economic footprint. It applies to online service providers if they are established in the UK, or if they offer services to or monitor the behaviors of young people residing there. In contrast, the California Code only applies to for-profit entities that meet certain revenue or quantitative thresholds. To be subject to the California Code, an entity must: (i) have annual gross revenues of more than USD 25 million (as adjusted periodically for inflation); (ii) buy, sell or share the personal information of 100,000 or more California residents or households; or (iii) make 50% or more of its annual revenues from selling or sharing California residentsā€™ personal information.

Form and substance of the Codes

The UK Code is centered on 15 standards, whereas the California Code sets out eight affirmative requirements and 10 general prohibitions. The UK Code does not have the force of a statute like the California Code does but constitutes a code of practice intended to guide companies on how to comply with the UK General Data Protection Regulation (ā€œUK GDPRā€) and other UK privacy laws when offering online services that are likely to be accessed by children. The UK Code is more than 10 times the length of the California Code by word count and replete with explanations of the policy reasons behind its requirements, examples of how organizations can comply, and resources intended to help organizations implement compliance measures. The California Code is comparatively sparse on details and permits, but does not require, the California Attorney General to adopt regulations to clarify its requirements.

The best interests of the child

The UK and California Codes require covered entities to consider and respond to the best interests of children when designing their online services. However, the ā€œbest interests of the childā€ has different legal meanings in the UK and USA. The UK has ratified the United Nations Convention on the Rights of the Child (ā€œUN Conventionā€) whereas the US has not. In line with the UN Convention, the UK Code explains that the ā€œbest interests of the childā€ is a concept that encompasses various important rights and values, including childrenā€™s rights to privacy and freedom from economic exploitation, the importance to children of access to information, association with others, and play in supporting their development, and the right to have a say in matters that affect them. By contrast, the ā€œbest interests of the childā€ standard generally only exists in US jurisprudence in the context of family and child welfare law, and, without more guidance, it is uncertain how authorities will interpret the term in the online consumer privacy law context. Nevertheless, both the UK and California Codes provide that the commercial interests of an organization will generally not outweigh a childā€™s right to privacy.

Data protection impact assessments

Both Codes establish as core requirements the duty to conduct a data protection impact assessment (DPIA) of any service likely to be accessed by children. In each case, the key objective of the DPIA is to identify and mitigate risks to children that may arise from the data processing operations, including risks that a child might be exposed to harmful content, contacts or conduct. Other risks are posed when services or products actively encourage young people to spend inordinate stretches of time engaged with them. Because the UK Code flows from the UK GDPR, a UK Code DPIA may look substantially different from a California Code DPIA. For example, Article 6 of the UK GDPR generally prohibits the processing of personal data unless one or more ā€œlawful bases of processingā€ listed in the regulation applies, so a UK DPIA should specify the lawful basis for each processing activity involving childrenā€™s personal data. No analogous requirement applies in California. Consistent with Article 35(9) of the UK GDPR, the UK Code contemplates that, whenever possible, DPIAs should incorporate feedback and input from children and parents. The California Code does not mention the benefit of consultations with children or parents, although collaboration of this kind would make any DPIA more comprehensive.

Recommendations

Despite the differences across these two instruments, they share underpinning principles. As a result, they overlap more than they diverge. The upcoming California Code mirrors the UKā€™s Codeā€™s key requirements and restrictions. Any companies feeling unsure about what is expected of them under the California Code should find it helpful to read the corresponding passages of the UK Code and its practical guidance. Whether or not a company is subject to either code, it would benefit from regularly conducting confidential assessments of the legal risks associated with its online services and fine-tuning them to mitigate those risks.

The UK and California Codes provide guidance on how to structure assessments. They list practices that go a long way towards keeping children safe. Companies should also monitor global legal developments in youth protection. Regulators around the world are increasingly taking action against companies that allegedly violate childrenā€™s privacy and safety requirements. Studying regulatorsā€™ decisions can yield important lessons. Lawmakers in many jurisdictions are now advancing new youth protection rules and regulations. Unfortunately, not all of them are as aligned with one another as the landmark UK and California Codes.

Author

Jonathan Tam is a licensed attorney in California and Ontario. He focuses on privacy, advertising, intellectual property, content moderation and consumer protection laws. He is passionate about helping clients achieve their commercial objectives while managing legal risks associated with activities involving data, information technology and media. Jonathan regularly writes about information technology and privacy, and is the Vice Chair of the Cybersecurity and Privacy Law Section of the Bar Association of San Francisco. He has completed secondments at a global payment services provider based in London, England and a world-leading tech company based in Silicon Valley. He joined Baker McKenzie as a summer associate in 2012 and has also worked in the Firm's Toronto office.

Author

Elizabeth Denham CBE, joined Baker McKenzie as International Consultant, Data and Tech in 2022. She has over 15 years' experience as a data protection regulator in four jurisdictions. She was most recently the Information Commissioner for the UK (2016-2021) . During her tenure in the UK she also chaired the Global Privacy Assembly, which brings together more than 130 data protection authorities around the world - the premier global forum for data protection. She is recognized as a leader in enabling responsible data use by government and the commercial sector, and for implementing the GDPR into UK law. She tackled some of the most complex issues facing the digital economy, including the use of data in political campaigns, the use of live facial recognition technologies in the commercial and police sectors, and the transparent and fair use of analytics and AI. She is passionate about the protection of children online, ethical and accountable use of health data, and supporting companies to embed data protection and security into their services and offerings. Elizabeth was honoured in the Queen's 2019 Honours list a CBE for services to protecting personal privacy of UK citizens.