We have recently been notified by a client who was going through a Lexcel audit that they should review how their website adheres to the Age-appropriate design: a code of practice for online services guidance that was issued by the ICO back in 2020 and was supposed to be implemented by 2 September 2021. This is also known as The Children’s Code.
This is what the Lexcel assessor suggested to the client:
“Whilst online businesses targeting children specifically will need to carefully assess their approach to the service they offer, organisations such as law firms should still review points of online access, such as the firm’s website, that children might interact with. For instance, if a firm publishes blogs on its website that a 16-year-old might read in support of research for a college project, then this could fall in the scope of the code.”
And, before you read on, it was news to us that such a code of practice existed, but then we spend our lives working with law firms, not with clients who specifically target children with their products and services. If you want to, feel free to go straight to the full code on the ICO website.
In their Executive Summary the ICO says:
Children are being ‘datafied’ with companies and organisations recording many thousands of data points about them as they grow up. These can range from details about their mood and their friendships to what time they woke up and when they went to bed.
Conforming to this statutory code of practice will ensure that as an organisation providing online services likely to be accessed by children in the UK, you take into account the best interests of the child. It will help you to develop services that recognise and cater for the fact that children warrant special protection in how their personal data is used, whilst also offering plenty of opportunities to explore and develop online.
In England a child is defined as anyone who has not yet reached their 18th birthday with some specific exceptions for over 16s (NSPCC).
Personally, we do not think that law firms are a) targeting children with their websites or b) ‘datafying’ children. But is Lexcel right to flag this to law firms? Yes, of course. But do we think law firms have something to ‘fix’? No.
There are 15 standards that the code covers which I comment on below and whether a law firm’s website really should be considered as an ‘information society service (ISS)’ which the ICO define as:
“any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”
The ICO goes on to define what types of online services are not ‘relevant ISS’, and one of these definitions is as follows:
Websites which just provide information about a real-world business or service
If your website just provides information about your real-world business, but does not allow customers to buy products online or access a specific online service, it is not an ISS. This is because the service being offered is not provided ‘at a distance’. An online booking service for an in-person appointment does not qualify as an ISS.
We could end the blog post right here and argue (m’lud) that a law firm’s website is not a relevant ISS and therefore not covered by the code as it does only provide information about the law firm’s real-world business. But below we’ve reviewed all 15 standards and provide a comment on each one suggesting whether it is something you should review.
And right at the bottom of this post we have linked to an excellent hub on the ICO website if you want more detail.
Age-Appropriate Design code of practice – The 15 Standards
Here we review the brief description of the 15 standards
- Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
Of course. This is stating the obvious. But, most law firms’ websites are not likely to be accessed by a child.
- Data protection impact assessments: Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, which arises from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code.
As above, children are not that likely to use a law firm’s website. And if they do, the data collection is likely to be the same as any other user of the website e.g. some fields like name, email, enquiry details. So there really is a limited risk of problems from this data collection.
- Age-appropriate application: Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.
Ever been on a website that sells alcohol? They used to just ask you to confirm you are over 18. But recently I visited https://www.cotswoldsdistillery.com/ (Disclosure. It’s owned by a friend of mine) and now have to put in my date of birth. And of course, someone under 18 could always lie. But the risk-based approach a law firm would take is quite simple. If the enquiry form said “I want to sue my parents” then maybe the first question the law firm asks when they make contact is “How old are you?”.
- Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.
Again, a law firm’s website is not aimed at children so I do not think this is necessary.
- Detrimental use of data: Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
Of course. This is stating the obvious.
- Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
Of course. This is stating the obvious.
- Default settings: Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
Most law firm websites do not have these kinds of settings. I see this as being more applicable to iOS and Android apps.
- Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
This is the same for everyone, not just children.
- Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
Of course. This is stating the obvious.
- Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). Provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.
Most law firm websites do not use geolocation. This might be limited to firms with international offices and again, this is the same for everyone, not just children.
- Parental controls: If you provide parental controls, give the child age-appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.
Not relevant to law firm websites.
- Profiling: Switch options which use profiling ‘off’ by default (unless you can demonstrate a compelling reason for profiling to be on by default, taking into account the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
Not relevant to law firm websites.
- Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
Most law firm websites and follow-up marketing do not use ‘nudge techniques’. This is also knowns as ‘progressive disclosure’ and can be used effectively when ‘personalising’ a website e.g. the first time I visit and register for something you just want my name and email address. The next time when I register for something else you ask for my phone number and location.
- Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable conformance to this code.
Not relevant to law firm websites.
- Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
Not relevant to law firm websites.
Additional Children’s Code Resources for Law Firms
The ICO has an excellent hub on their website at https://ico.org.uk/for-organisations/childrens-code-hub/
Here there are some Age-Appropriate Design FAQs, a DPIA template and a full-on self-assessment risk tool that your COLP might love!