UK Age Appropriate Design Code (Children's Code)
The UK Children's Code is a statutory ICO code requiring online services likely accessed by children to apply 15 data protection standards, including high-privacy defaults and data minimization. It is enforced through the UK GDPR, with substantial fines.
What the UK Children's Code Is
The Age Appropriate Design Code, commonly called the Children's Code, is a statutory code of practice issued by the UK Information Commissioner's Office (ICO) under the Data Protection Act 2018. It sets out 15 standards that online services must follow to protect children's personal data and put their best interests first. It exists to address the reality that children use online services not designed with their needs in mind, and that their data can be exploited or misused.
The Code is not a separate law but is enforceable through the UK GDPR and Data Protection Act, which the ICO uses as the legal basis for action. It became the template for similar codes worldwide, including California's.
Who It Applies To
The Code applies to providers of information society services likely to be accessed by children under 18 in the UK, including apps, games, social media, connected toys, search services, and many websites. It applies broadly because "likely to be accessed" is interpreted generously, capturing services not specifically aimed at children.
Key Requirements
- Best interests of the child — Treat the best interests of the child as a primary consideration in design.
- Data protection impact assessments — Conduct DPIAs to identify and mitigate risks to children.
- High-privacy defaults — Set settings to high privacy by default unless there is a compelling reason otherwise.
- Data minimization — Collect and retain the minimum personal data needed.
- Limit profiling and nudging — Turn off profiling by default and avoid techniques that encourage children to weaken protections.
- Transparency — Provide clear, age-appropriate privacy information.
Penalties for Non-Compliance
Because the Code is enforced through the UK GDPR, breaches can attract the same penalties: fines of up to 17.5 million pounds or 4 percent of global annual turnover, whichever is higher, along with enforcement notices and corrective orders. The ICO also uses audits and investigations, and non-compliance carries significant reputational risk.
How to Comply
Assess whether the service is likely to be accessed by children, then carry out DPIAs focused on children's risks. Implement high-privacy defaults, minimize data, switch off profiling by default, and avoid manipulative design. Provide transparent, age-appropriate information, and apply the 15 standards across the service. Document decisions to demonstrate accountability under the UK GDPR.