Age Appropriate Design Code applies to edTech

It had been suggested to us by various parties over the last year, who work for edTech companies, that the Age Appropriate Design Code does not apply to edTech.

We wrote to The Information Commissioner to ask for clarification on its application, as regards educational settings, since it came into legal force in September.

Here’s the reply we got back below, and we’ll be honest. We had to ask for further clarification.

But the message we’ve got back clearly is that the Age Appropriate Design Code is independent of Article 8 of the GDPR, so it is independent of whether consent (or not) applies as a legal basis for processing.

The key answer we got is,“Yes. The Code covers not-for-profit apps, games and educational sites, including edTech apps, likely to be accessed by a child as long as those services can be considered as ‘economic activity’ in a more general sense. For example, they are types of services which are typically provided on a commercial basis (e.g. through subscriptions or advertising revenue).“

It appears from this, whether or not a school agrees a contract with a provider or not, is irrelevant — it’s only about the data processing, not the lawful basis for it.

“The scope of the code is defined by reference to whether a service is a relevant ISS likely to be accessed by children, rather than by its lawful basis for processing.”

So it applies to processing of pupil data obtained through schools. We’ve annotated the reply below with letters, for reference.

The ICO response repeats our questions 1-3 to answer them. But we have to admit, even after discussion, at first we couldn’t easily understand the answer c-e. If the Code is independent of Article 8, then in the context of schools and ISS, consent is a red herring and simply confuses the subject.

Children under 13 cannot give valid consent to data processing in a school, as it will never be sufficiently informed, or freely given. In fact, consent from any child of any age and even of parents may be invalid in an educational setting because of the power imbalance between the child, legal guardians, and the public authority. (See GDPR decision from the DPA in Sweden on facial recognition).

We find all of the mentions on consent a bit confusing and probably best ignored for schools.

In schools, consent is almost never the basis for lawful data processing by third parties contracted by schools, apps and platforms and certainly isn’t suitable for any that a school says must be used. (It’s used for optional things like school photos being used in school marketing or press work, or for medical treatment.)

To determine the scope of the term ‘information society service” in the GDPR, reference is made in Article 4(25) GDPR to Directive 2015/1535. ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.”

There is no caveat made in data protection legislation for “an ISS only offered through an intermediary”.

Important to understand in edTech is that while schools’ contracts may be with the third party, not the child, the edTech apps and platforms operate with direct, indivdiual accounts set up in children’s names or emails or sometimes pseudonyms. Their interactions and personal data processing are direct between the child (user) and ISS (the edTech service).

There is no intermediary. There is direct data collection and processing between the company and the child.

Even when schools set up these accounts at scale with a few clicks through the school info management system and send off the pupil (and parent) emails and personal data to set up the accounts, we cannot [yet] think of when the ICO statement might be intended to apply, “If an ISS is only offered through an intermediary, such as a school, then it is not offered ‘directly’ to a child.”

The Code applies. Companies need to comply. Schools should have those expectations in their contracted partners.

 

---

The reply from mid-October:
a. At the outset it is worth noting that the definition of ‘relevant information society service’ for the purposes of the children’s code differs slightly from the definition of an information society service for the purposes of Article 8 of the GDPR.

b. We have attempted to explain what this means in relation to the application of the children’s code, in response to your specific queries below. We have reproduced your questions for ease of reference.

[our letter to the ICO] “The ICO website states on ISS, “If an ISS is only offered through an intermediary, such as a school, then it is not offered ‘directly’ to a child.”1

This appears to suggest that the ICO has decided that apps used in school (or at home at the school’s request such as Google Classroom or hundreds of homework apps) are not ISS and that therefore the Code does not apply to them.

However, in the ICO website text at the launch of the Code was stated: “This code applies to “information society services likely to be accessed by children” in the UK. This includes many apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet.

It is not restricted to services specifically directed at children.” These appear to be conflicting or at least unclear positions compared together, and when compared with the GDPR and EDPB guidelines.”

c. Our “Children and the GDPR guidance” addresses the question of whether a service is offered ‘directly to a child’ for the purposes of Article 8.

As the guidance explains, where a service is only made available through an intermediary, such as a school, the ICO does not consider it to be offered directly to a child. In these circumstances, if the service relies on consent as its basis for processing, the Article 8 requirement to obtain parental consent for under 13s does not apply. In other words, a child under the age of 13 could potentially provide their own consent to the processing, provided that they are competent to do so. Any such consent would still need to meet the general GDPR standard to be valid. Further information in this regard is provided in the What if we’re relying on consent? section of our guidance.

d. The code may still apply to a service offered via an intermediary if it meets the definition of a relevant ISS as explained below. Where this is the case a child under 13 could provide their own consent, if this were the basis for processing.

e. To this extent, there may be a difference between what services covered by the code but offered via a school are required to do in relation to satisfying the lawful basis for processing.

1. Does the Code apply to ISS such as edTech apps and platforms in educational settings?

f. Yes. The Code covers not-for-profit apps, games and educational sites, including edTech apps, likely to be accessed by a child as long as those services can be considered as ‘economic activity’ in a more general sense. For example, they are types of services which are typically provided on a commercial basis (e.g. through subscriptions or advertising revenue).

2. Does the Code *only * apply to ISS processing on the basis of consent (and Article 8)? If so this is mostly invalid in schools and negates its application.

g. No, the scope of the code is defined by reference to whether a service is a relevant ISS likely to be accessed by children, rather than by its lawful basis for processing. Relevant services may rely on other bases such as legitimate interests or contract. It is up to the information society service to determine the most appropriate lawful basis for processing in line with general accountability requirements. The lawful basis will depend on the nature of the personal data being collected and the purpose for which it is being used by an edTech service.

3. Or is it contextual? i.e. the ICO intends for educational websites to fall under the Code when a child uses them without their school requiring them to (i.e.it applies on a consent basis as a private citizen but not a pupil), so *in school* the Code would not apply to the same app that it would apply to if signed up for at home.

h. No, similarly to question 1 above, provided that the ISS meets this definition then the code will apply, though as we have tried to explain, there may be differences in what a service is required to do in relation to any consent based processing, depending on whether the service is offered via a school or not.