A step towards clarity: welcoming ICO’s new guidance for EdTech on the Age Appropriate Design Code

We warmly welcome recently updated guidance from the Information Commissioner’s Office (ICO) on how the Age Appropriate Design Code (AADC) applies to educational technology (EdTech). Key improvements include: Clarifying that EdTech providers’ roles as ‘data processor’ or ‘data controller’ are established based on the evidence of control over the means and purposes of processing children’s data rather than the providers’ own designation in the contract. Clarifying when EdTech providers can fall under the scope of the AADC as information society services (ISS) even though it is provided through the schools. Removal of the terms creating confusion (such as ‘off-the-shelf’ products). Underscoring that data protection law requirements still apply, regardless of whether the AADC applies. Highlighting EdTech providers must identify an appropriate lawful basis under UK GDPR for its processing and specifying when public task lawful basis is unlikely to be appropriate.