UK: ICO rules regarding the online privacy of children enter into force


The age-appropriate design code (“code“), A new legal code of conduct approved by the UK Information Commissioner’s Office (“ICO“), Comes into force today (September 2, 2021) after a one-year transition period. The Code aims to regulate the provision of online services to children and provides influential guidance to businesses on how to build such services in accordance with UK data protection law.


It is a fact of modern life that the average child spends a lot of time online, often from a very young age. This is a trend that is particularly pronounced in the wake of the Covid-19 pandemic, as everything from providing education to socializing with friends is inevitably becoming increasingly digital. However, as the ICO points out, “one in five UK internet users are children but they are using an internet that was not designed for them”.

In this context, it became clear how important it is to set clear guidelines for companies that interact with children online. The Code seeks to address this need by promoting 15 flexible standards for “age-appropriate design” that are designed to reflect the specific privacy safeguards that children need on the Internet.

The Children’s Code is not a new law, but a legal code of conduct according to the Data Protection Act 2018. The code was amended on June 11, 2020 under s.125 (1) (b) of the DPA. The code was then issued by the ICO on August 12, 2020, but enforcement of the code was delayed by a year during a transition period to give companies time to review the code.

What does the code say?

In essence, the Code explains how the UK General Data Protection Regulation, the Data Protection Act, and the Data Protection and Electronic Communications Regulations apply to the design and delivery of “Information Society Services” (“ISS“(Which includes everything from social media platforms to educational platforms to online games) to children. Consistent with the extraterritorial scope of these laws, it applies to both UK and non-UK based companies that process UK children’s personal data under an ISS.

At the heart of the code are 15 standards that the ICO requires companies to adhere to when designing online services that are wholly or partially aimed at children. Many of these standards will be familiar to those familiar with UK data protection law as they directly reflect the underlying legal requirements. Others are more softly bound by legal requirements and reflect the view of the ICO, which in the context of data protection law represents fair and proportionate behavior towards a vulnerable group of data subjects such as young people. Ultimately, the standards are cumulative and interrelated and must therefore all be adhered to in practice:

  1. Child’s best interest should always be in the foreground;
  2. Data protection impact assessments to be carried out whenever appropriate, which will often be the case with regard to the processing of data on children;
  3. Age-appropriate application, taking into account the specific age range and the level of development of the target group;
  4. transparency, which means being clear, open, and honest with younger users in a way they can understand;
  5. Harmful handling of data (any use of data that is manifestly detrimental to the physical or mental health and well-being of children or that violates standard industry rules of conduct) is prohibited;
  6. Guidelines and community standards are to be maintained;
  7. default settings must be “high privacy”;
  8. Data minimization to be used when collecting data from children;
  9. Data transfer should be limited and non-routine disclosure of data usually requires a compelling reason to do so;
  10. Geolocation must be switched off by default;
  11. Parental controls are permissible and can be helpful, but should be made transparent to the child that such controls are in place and whether the child is being followed or monitored;
  12. Profiling is disabled by default;
  13. Nudge techniques (ie, design features that induce or encourage users to follow the designer’s preferred paths in making user decisions) are discouraged;
  14. Connected toys and devices must comply with the code; and
  15. Online tools must be accessible and visible to help the child.

The code specifies each standard, explains its particular relevance, outlines the underlying legal obligations and gives practical tips for implementation.

Who does it concern?

The Code targets “relevant information society services likely to be used by children”. While the definition of an ISS includes the requirement that it is normally provided for a fee (therefore excluding public services and other non-profit activities), the scope of ISS providers in a commercial context is broad and includes, among others, app developers, game companies, toy companies , Social media platforms, educational apps and websites, and all media, television and radio companies.

What is the status of the Code (and what happens if I don’t adhere to it)?

The Code is a legal code of conduct that the ICO must publish in accordance with the Data Protection Act. It is only the second such code to be published under the 2018 Act, after the Data Sharing Code, which came into effect early this summer.

The Code formally sets out the ICO’s interpretation of the application of data protection law in this area. It will therefore be the primary reference point for the ICO when investigating and enforcing online businesses regarding issues with children. In addition, the Children’s Code can also be used as evidence in legal proceedings and the courts may need to take its provisions into account.

Therefore, although its recommendations are not themselves legally binding, it is strongly recommended that you comply with the code.