Comply with the Children's Code to protect children's privacy online

Guide

Last updated 2 September 2021

The Age Appropriate Design Code - or 'The Children's Code' - is a data protection code of practice for online services likely to be accessed by children. For the purposes of the code, a child is any person under the age of 18.

Following a transition year, The Children's Code came fully into force on 2 September 2021.

Services covered by The Children's Code

The code applies to 'information society services' likely to be accessed by children in the UK. In simple terms, this means:

  • apps
  • online games
  • connected toys and devices
  • search engines
  • streaming services
  • social media platforms
  • websites that offer goods or services over the internet

The code is not limited to services specifically directed at children.

If your online service appeals to children up to the age of 18, even if it's not designed for them, you should check if The Children's Code applies to your business.

Complying with The Children's Code

The code is not a new law. It simply translates how the existing data protection law applies in the context of children using digital services.

If you are covered by the code, it requires you to follow a series of standards when designing, developing or providing online services where they are likely to be accessed by children.

These standards require you, amongst other things, to:

  • put the children first by asking the right questions - for example, what's the age range of your users or how much personal data do you really need
  • give children high privacy settings by default - such as optional uses of personal data switched off, privacy settings switched to high and location sharing switched off
  • give children age-appropriate services even if they want to change their default settings - for example, if they want to see targeted advertising, ensure this is still age-suitable
  • provide age-appropriate explanations about why data is used - for example, advise children to check with a trusted adult before they carry out an action
  • provide tools to help children when they need it - such as tools to help them download or delete their data

Find a detailed outline of all 15 code standards you must follow.

What if you don't know how old your users are?

If you don't know the age of your users, your actions will depend on what you are doing with their data and what impact this might have on children. Your options might include:

  • asking your users about their age
  • carrying out age checks
  • providing high privacy by default to all users, regardless of age

The code suggests other methods you should consider, depending on the risks associated with your data processing. Higher risks will generally require a greater level of assurance.

What happens if you do not conform to the code?

The code is rooted in existing data protection laws, including the UK General Data Protection Regulation and the Data Protection Act 2018. If you are providing relevant services, you should follow the standards as part of your approach to complying with data protection law.

If you do not conform to the code, you may find it more difficult to demonstrate that your data processing is fair and in compliance with the data protection law. If your services process a child's personal data in breach of the law, you could face enforcement action by the ICO.


First published 22 March 2021