Skip to main content
Go back
Written by
UK Team
24th October, 2024

5Rights calls for robust enforcement to protect children’s data

In our response to the ICO’s call for evidence on its 2024-25 strategy for the Age Appropriate Design Code, we have raised a number of concerns. These include the decision not to name tech companies to which the regulator had sent notices for poor compliance.

A young boy is lying down on a yellow sofa. He is lying on his front with his space position towards the camera. He is wearing headphones and looking intently at a phone. A young girl is in the background, on the sofa, on a laptop, but out of focus.

The Age Appropriate Design Code (Children’s Code, or ‘the Code’) which was brought in by the Data Protection Act 2018 and has been enforceable since 2021, is the first of its kind in the world – setting out 15 standards that digital services likely to be accessed by children must follow. 5Rights is calling out the regulator for not taking stronger enforcement action on companies for consistent non-compliance with the Code, which is leaving children’s privacy and safety at risk.

5Rights is proud to have helped make the case for the creation of the Code and continues to work with industry and the ICO to ensure services design data practices that put the best interests of children above all other considerations.

It has always been our ambition that companies would use their creativity to innovate in order to comply with the Code, rather than have the ICO force compliance retrospectively. However, three years into enforcement of the Code we regret that, despite an egregious and continuous lack of compliance with the Code, the ICO has failed to take action in any meaningful way. This includes where 5Rights has provided evidence of misuse of children’s data.

5Rights’ response to the ICO’s Children’s Code strategy raises a number of issues with the regulator’s ongoing enforcement of the Code:  

  • Transparency: We welcomed the recent announcement that ICO has sent notice to 11 services for breaches of the Code, but we disagree with the decision not to name them. Companies in breach being subject to heightened scrutiny is a matter of public interest and is, in itself, an act of enforcement. The ICO must be more transparent in its enforcement action.  
  • Defence of the Age Appropriate Design Code in any proposed data reform bill: It was notable that the ICO did not defend either UK GDPR or the Code against proposed changes to data protection by the previous government, which would have watered down protections for children. The ICO must defend the Code.  
  • Age-appropriate design and data processing: We would like to see greater enforcement action and auditing from the ICO which looks at how services are recognising that children have different capabilities and needs at different ages. This is a fundamental principle of the Code.  

5Rights has recommended that the Government set up an independent review to ensure transparency and optimise processes and functions for the effective enforcement of the Age Appropriate Design Code to keep children safe online.  

5Rights response to the ICO’s Children’s COde Strategy