The Age Appropriate Design Code: Time to Dust Off that DPIA

Information (such as who is using a service, how frequently and where from) can be gathered from users of search engines, websites, apps and online or app-based game. This can then be used by organisations to tailor the advertisements users see, drive the content of apps and websites and encourage users to spend more time using the website or app. This applies equally to adults and children.

The Age Appropriate Design Code (known more commonly as the Children’s Code) introduced by the UK personal data regulator, the Information Commissioner’s Office (the “ICO”), is a step change in how children’s privacy is protected online. It recognises that the personal data of adults and children should not be treated in the same manner particularly given that the internet was not designed with children in mind. The Information Commissioner’s Office introduced the Children’s Code in April 2019 with a consultation paper. The ICO’s stated aim is that through the Children’s Code “children have a baseline of protection automatically by design and default, so that they are protected within the digital world rather than being protected from it”.

The Children’s Code is now legally enforceable (the ICO was required specifically to promulgate a code of practice to safeguard children online under s123 of the Data Protection Act 2018). It is not new law; rather it is guidance that has been developed to help organisations comply with their obligations under the General Data Protection Regulation (“GDPR”) and will be considered when enforcement actions and investigations are being carried out by the ICO.

1.What Services Are Caught by the Children’s Code?

The Children’s Code applies to any organisation providing “information society services” meaning online services and products likely to be accessed by children up to age 18 and which processes their data (the “Relevant Services”). Accordingly, it will cover all major social media and online services used by children in the UK. It is important to note that it takes a risk-based approach. This means that the way the Children’s Code will apply to each organisation is different. Some organisations will have to do more to comply with the Children’s Code than others.

Online services or apps are covered by the Children’s Code even if they are not specifically targeted at children, therefore, its reach is wide. Apps, online games, connected toys and devices, search engines, social media platforms and websites that offer goods, news or education services all potentially need to comply with the Children’s Code.

2.When Does the Children’s Code Come into Force?

The Children’s Code came into force on 2 September 2020, triggering the start of a 12 month transition period with the objective of giving organisations a 12 month grace period to make the necessary changes to put children’s privacy at the heart of their design. Everyone will need to be compliant by 2 September 2021.

3.What Standards Are Expected by the Children’s Code?

The Children’s Code takes a risk-based approach and is shaped into 15 standards which set out how organisations should comply with data protection law as follows:

  • i.Best interests of the child:
    Article 3 of the United Nations Convention on the Rights of the Child states the ‘best interests of the child’ standard should be a primary consideration when designing and developing Relevant Services. This is backed up by Recital 38 of the GDPR which states that: “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing...”.
  • ii.Data protection impact assessments (DPIA):
    Organisations should undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access the Relevant Service, which arise from data processing. The DPIA must be designed to take into account differing ages, capacities and development needs of children accessing the Relevant Service and ensure that the DPIA builds in compliance with the Children’s Code.
  • iii.Age appropriate application:
    Organisations should take a risk-based approach to recognising the age of individual users and ensure they effectively apply the standards in the Children’s Code to child users. The ICO discourages age-gating. Instead, organisations should either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from data processing, or apply the standards in the Children’s Code to all users instead.
  • iv.Transparency:
    The privacy information provided to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Organisations should provide additional specific ‘bite-sized’ explanations about how personal data is used at the point that use is activated.
  • v.Detrimental use of data:
    Organisations must not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
  • vi.Policies and community standards:
    Organisations must uphold their own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
  • vii.Default settings:
    The ICO recommends that settings must be ‘high privacy’ by default (unless an organisation can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child (see Standard i)).
  • viii.Data minimisation:
    Organisations must collect and retain only the minimum amount of personal data they need to provide the elements of their service in which a child is actively and knowingly engaged. Children should be given separate choices over which elements they wish to activate.
  • ix.Data sharing:
    Children’s data must not be disclosed unless it can be demonstrated that there is a compelling reason to do so, taking account of the best interests of the child.
  • x.Geolocation:
    Geolocation options should be switched off by default (unless an organisation can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). Obvious signs for children must be provided when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.
  • xi.Parental controls:
    If parental controls are provided, give the child age appropriate information about this (so toddlers should be differentiated from teens). If an online service allows a parent or carer to monitor their child’s online activity or track their location, children should be given an obvious sign when they are being monitored.
  • xii.Profiling:
    Options which use profiling should be switched ‘off’ by default (unless a compelling reason for profiling to be on by default can be, taking account of the best interests of the child). Only allow profiling if the appropriate measures are in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
  • xiii.Nudge techniques:
    Nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections should not be used.
  • xiv.Connected toys and devices:
    If an organisation provides a connected toy or device include effective tools to enable conformance to the Children’s Code.
  • xv.Online tools:
    Organisations should provide prominent and accessible tools to help children exercise their data protection rights and report. To the extent that the standards are relevant to a Relevant Service they must all be implemented to show conformity with the Children’s Code.
    The expectations the Children’s Code places on online services and apps have been summarised by the ICO as follows:
  • create an open, transparent and protected place for children when they are online;
  • follow a series of standards when designing, developing or providing online services where they are likely to be accessed by children;
  • consider the best interests of the child when processing their personal data; and
  • implement high privacy settings by default and use language that is clear and easy for children at different development stages to understand.

4.What is the Geographical Scope of the Children’s Code?

The Children’s Code not only applies to UK companies but also to non-UK companies with a branch, office or establishment in the UK, if that organisation processes personal data in the context of the activities of that organisation.

Organisations based outside the EEA should also be aware that the Children’s Code applies to them if their services are offered to UK users and those services are likely to be accessed by children. However, even if an organisation is offering services to UK users or monitoring the behaviour of users in the UK, it does not apply if an organisation is based outside the UK and not have a UK branch or office but has one elsewhere in the EEA.

5.What Happens If the Children’s Code Is Breached?

Fundamental to data protection (under Article 5(1)(a) of GDPR and the Data Protection Act 2018) is the concept that personal data must be “processed lawfully, fairly and in a transparent manner in relation to the data subject”. If online providers and app designers do not comply with the Children’s Code, it will make it more difficult for them to demonstrate that the processing complies with Article 5(1)(a).

As for any breach of GDPR, the Data Protection Act 2018 or the Privacy and Electronic Communications Regulations 2003 (PECR), the ICO is empowered to exercise a range of audits, assessments, stop processing orders and fines (of up to 4% of global turnover).

6.What Should I Do Now?

The first thing that businesses should do is to determine whether geographically the Children’s Code applies to them and, if so, whether they provide Relevant Services (see definition above).

They should carry out a Data Protection Impact Assessment (“DPIA”) on the Relevant Services to ascertain their compliance with the Children’s Code. We can assist with this process. Alternatively, templates are available on the ICO’s website.

Any remediation identified by the DPIA need to be effected by the deadline of 2 September 2021. Please feel free to contact us if you need any guidance in ensuring your compliance with the Children’s Code when it comes into force on 2 September 2021.

14 December 2020


  • Garfield Smith
    Garfield Smith Senior Solicitor
    Managing Director
    Find out more
  • Amanda Sermon
    Amanda Sermon Senior Solicitor
    Head of Corporate Finance
    Find out more