New UK statutory code to protect children’s data comes into force

Organisations providing online services and products for children are now subject to a new statutory code, the UK’s data protection regulator, the Information Commissioner’s Office (ICO) announced today.

The Age Appropriate Design Code, or Children’s Code, will particularly apply to organisations designing, developing or providing apps, social media platforms, online games, streaming services, connected toys and streaming services if they use, analyse and profile the data of under-18s, according to the ICO.

Organisations are being given a 12-month transition period to come into compliance with the risk-based Code, which lays out 15 standards, amounting to ‘by design approach’ to children’s data protection. The 15 standards are supported by existing data protection laws, and therefore are regulated and enforced by the ICO.

The standards mandate that:

  • The best interests of the child should be a primary consideration when designing and developing online services to be accessed by children.
  • A DPIA must be undertaken to assess and mitigate rights to the rights and freedoms of children likely to access the service.
  • A risk-based approach to be taken to recognising the age of individual users and applying the code effectively.
  • Privacy information must be concise, prominent, in clear, age-appropriate language and include additional explanation at the point of activation.
  • Use of children’s personal data must not be detrimental to their wellbeing.
  • Published terms, policies and community standards must be upheld.
  • Settings must be “high privacy” by default.
  • Only the minimum amount of personal data to provide the service must be collected and retained.
  • Children’s data must not be shared unless there is a compelling reason to do so.
  • Geolocation options must be switched off by default.
  • Children should be clear about parental controls or monitoring.
  • Options that use profiling should be switched off by default.
  • Nudge techniques encouraging children to provide unnecessary personal data or turn off privacy protections should not be used.
  • Tools to enable compliance with the Code are necessary for connected toys or devices.
  • There should be prominent and accessible tools to help children exercise their data protection rights and report concerns.

The code applies to UK companies, non-UK companies with a branch, office or establishment in the UK that processes personal data and non-EEA companies offering services to UK users likely to be accessed by children. It won’t, however, apply to non-UK companies without UK branches or offices that have do one in the EEA.

Elizabeth Denham, Information Commissioner said:

“A generation from now we will all be astonished that there was ever a time when there wasn’t specific regulation to protect kids online. It will be as normal as putting on a seatbelt.

“This code makes clear that kids are not like adults online, and their data needs greater protections. We want children to be online, learning and playing and experiencing the world, but with the right protections in place.

“We do understand that companies, particularly small businesses, will need support to comply with the code and that’s why we have taken the decision to give businesses a year to prepare, and why we’re offering help and support.”


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.