The Children’s Code – officially the Age-Appropriate Design Code – sets out essential standards for how online services handle children’s personal data under UK law. It applies to any Information Society Service (ISS) that is likely to be accessed by users under 18, even if they aren’t your target audience.
Navigating compliance is far from straightforward. The Code overlaps with a growing body of legislation, including the UK GDPR, the Data Protection Act 2018, the Online Safety Act (OSA) 2023, and increasingly, the Data Use and Access Act (DUAA) 2025, which governs how personal data is accessed and reused across digital services. This evolving legal landscape places pressure on businesses to design child-centred services that are transparent, proportionate and secure. Our data protection solicitors collaborate with platforms, developers, and service providers to embed privacy by design, conduct data protection impact assessments (DPIAs), and implement age-appropriate controls that align with multiple legal requirements.
Jump to:
- What are the key standards of the Children’s Code?
- Why is the Children’s Code important?
- Who does the Code apply to?
- Does the Children’s Code only apply to UK-based companies?
- Who does the Children’s Code not apply to?
- Who is a child or young user under the Children’s Code?
- Will companies need to know the age of users?
- What do I need to do to comply with the Code?
- What penalties are there for not following the Children’s Code?
- What if you don’t comply?
- What does the UK GDPR say about children’s data?
- Which online services are covered by the ICO Children’s Code?
- What are the key issues regarding complying with the Children’s Code and consent?
- Are privacy settings the same as consents?
- Is there an age limit for consent?
- What changes have TikTok and YouTube made?
- Can a child exercise data protection rights? Can a parent act on the child's behalf?
- When do you need to get parental or caregiver consent?
- Do businesses need to create data maps around any interactions with children's data?
- Meeting your legal duties under overlapping regimes
What are the key standards of the Children’s Code?
The Children's Code sets out 15 standards that online services (likely to be accessed by children in the UK) must meet to ensure that children’s personal data is protected online. This is not a new law, but rather a set of standards outlining how the UK GDPR applies to children using online services.
| Standard | Description |
| 1- Best interests of the child or young user | This should be the primary consideration when designing and developing online services that are likely to be accessed by young users. |
| 2- Data protection impact assessments | Undertake a Data Protection Impact Assessment to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, arising from your data processing. |
| 3- Age-appropriate application | You need to take a risk-based approach to recognising the age of individual users and ensure you apply these standards to younger users. Either establish age with a level of certainty that is appropriate to the risks, rights and freedoms of children that arise from your data processing or apply these standards to all your users. |
| 4- Transparency | The privacy information provided to users, along with other published terms, policies, and community standards, must be concise, prominent, and in clear language suitable for the child's age. Provide additional specific ‘bite-sized’ explanations about how personal data is used at the point that use is activated. |
| 5- Detrimental use of data | You shouldn’t use children’s personal data in ways that are detrimental to their well-being, or that go against industry codes of practice, other regulatory provisions, or Government advice. |
| 6- Policies and community standards | You should uphold your own published terms, policies, and community standards (including, but not limited to, privacy policies, age restrictions, behaviour rules and content policies). |
| 7- Default settings | Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child). |
| 8- Data minimisation | You should only collect and retain the minimum amount of personal data you need to provide the elements of your service in which a young user is actively and knowingly engaged. Allow these users to make separate choices about which elements they wish to activate. |
| 9- Data sharing | Don’t disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child. |
| 10- Geolocation | Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). Provide a clear indication for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session. |
| 11- Parental controls | If you are providing parental controls (also accessible to caregivers or guardians) to manage, give the child age-appropriate information about them. If your online service allows a parent or caregiver to monitor their child’s online activity or track their location, provide the young user with a clear indication that they are being monitored or tracked. |
| 12- Profiling | Switch options that use profiling ‘off’ by default (unless there’s a compelling reason for profiling to be on by default, taking into account the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the young user from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing). |
| 13- Nudge techniques | Don’t use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections. |
| 14- Connected toys and devices | Ensure connected toys or devices include effective tools to enable conformance with the Code. |
| 15- Online tools | Provide prominent and accessible tools to help young users exercise their data protection rights and report concerns. |
Why is the Children’s Code important?
This Code is welcomed as finally online services can conform to a set of key standards for compliance. Children are frequent and active users of online services, often engaging with digital platforms as much as, if not more than, adults.. This Code would seek to ensure that children are provided with the same rights as adults. This is why privacy notices must be transparent enough for a young user to read and understand how their personal data is being collected and processed. Statistics suggest that one in five UK internet users is a child, but they are using services that, although they can use them, are not designed for their use. The Information Commissioner has acknowledged that the Code will never replace parental or caregiver control and guidance. Still, it will undoubtedly give families, carers and responsible adults greater confidence that the children in their care can learn, explore and play online safely.
Who does the Code apply to?
Section 123 of the Data Protection Act 2018 says that this Code applies to relevant ISS which are likely to be accessed by children. ISS is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. The Information Commissioner's Office (ICO) describes this as including:
- Applications
- Programs
- Search engines
- Social media platforms
- Online messaging or internet-based voice telephony services
- Online marketplaces
- Content streaming services (e.g. video, music or gaming services)
- Online games
- News or educational websites
- Electronic services for controlling connected toys and other connected devices
- Websites offering other goods or services to users over the internet
The ICO guides what services fall under an ISS, helping you decide whether the Code applies to your business.
App stores such as Google Play or the Apple App Store require developers to follow their privacy guidelines in order for their applications to be available for download. We discuss the different privacy requirements in our guide to Apple's app privacy policy.
Does the Children’s Code only apply to UK-based companies?
As the Code is issued under the Data Protection Act 2018, this comes under the UK data protection regime and, as such, applies to online services based in the UK.
However, due to territorial scope, the following would also be in scope:
- Online services based outside the UK that have a branch, office or other ‘establishment’ in the UK, and process personal data in the context of the activities of that establishment.
- Some other services based outside the UK, even if they don’t have an establishment in the UK, are subject to extra-territorial scope.
This means that the Code would apply to both UK and non-UK companies that process personal data of UK children.
Who does the Children’s Code not apply to?
The Code doesn’t apply to public authorities that provide online public services which process personal data for law enforcement purposes. These services do not come under the definition of ISS. The Code also does not apply to counselling or preventive services, for example, health screenings or check-ups, although it would include fitness and well-being services.
Who is a child or young user under the Children’s Code?
A child or young user is anyone under the age of 18 years. This is in accordance with the UN Convention on the Rights of the Child (UNCRC). The Code would apply to anyone under the age of 18 who is likely to access any online service.
Will companies need to know the age of users?
Companies need to undertake a DPIA, which would consider whether their online service is likely to be accessed by children under the age of 18. Your DPIA should cover children, even if the service is not aimed at them, as it's not always the case that children only access online services that are applicable to them.
You may need to regularly monitor the age of visitors to your website, as this will provide an indication of the age range of your users and help ensure compliance with the Code.
What do I need to do to comply with the Code?
- Data mapping – determine what personal data you are collecting from UK children. Even if you do not believe you are processing any UK children’s personal data, you must document your decision-making process.
- Conduct a DPIA on collecting and processing children’s personal data.
- Monitoring – check what the age of users is who visit your website or have access to your services.
- Geolocation – switch it off to prevent tracking your visitors' locations.
- Avoid using nudge techniques that lead or encourage children to provide more personal data.
- Implement a high-level privacy by default setting.
- Assess whether your company complies with the key standards.
What penalties are there for not following the Children’s Code?
The ICO will monitor conformance to the Code using measures ranging from intelligence gathering, audit or assessment powers, investigation, and regulatory action. The ICO’s policy is that the public interest in protecting children online is a significant factor weighing in the balance when considering the type of regulatory action. The ICO states it will take more severe action against an organisation where there is harm or potential harm to children.
When deciding what type of enforcement action to take, the ICO will consider:
- The size and resources of the organisation concerned
- Availability of technological solutions in the marketplace
- Specific risks to children that are inherent in the processing
- Efforts made to conform to the Code
What if you don’t comply?
Only time will tell what kind of enforcement action the ICO will take, as this will depend on the circumstances and type of breach. What we do know is that processing children’s personal data is inherently high risk, and failing to comply with the Code can only bring severe ramifications.
What does the UK GDPR say about children’s data?
Article 8 of the UK GDPR considers conditions applicable to a child’s consent in relation to Information Society Services. The UK GDPR also states ‘children merit specific protection regarding their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.’ To comply with the UK GDPR, the ICO has published guidance to assist online services that process personal data of children.
Which online services are covered by the ICO Children’s Code?
The Code applies to online services that are likely to be accessed by children in the UK. This would include:
- Applications
- Programs
- Connected toys and devices
- Search engines
- Social media platforms
- Streaming services
- Online games
- News or educational websites
- Websites offering other goods or services online.
You should note that it’s not restricted to services specifically directed at children.
What are the key issues regarding complying with the Children’s Code and consent?
You will always need a lawful basis for processing the personal data of children. Consent is one such lawful basis, but not always the best option. However, it’s still an option, but only if you can provide children (or parents) with an informed choice and control over how you use their personal data. You should be careful where you rely on consent, so that the young user understands what they are consenting to. It’s necessary to use clear and simple language which alludes to the principle of transparency.
Remember, consent must be easy to withdraw as it was to give, the right to erasure of personal data would be relevant here.
You can find examples for each of the six lawful bases in our guide to data processing.
Are privacy settings the same as consents?
Under UK GDPR, consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes (note: the regulation refers to "he or she"; however, inclusive practice recognises gender diversity), by which he or she, by a statement or by an explicit affirmative action, signifies agreement to the processing of personal data relating to him or her.
The Code states that privacy settings can give children a choice over how their personal data is used. If a particular setting is off by default, the young user or parent would need to activate the processing by changing the default setting, which can then be used as part of your mechanism for obtaining consent under the UK GDPR. You will still need to comply with Article 7 and Article 8 of the UK GDPR when doing so, so privacy settings won’t be sufficient on their own.
Is there an age limit for consent?
The Code stipulates that only a child over the age of 13 years can provide consent. For any child or young user under the age of 13, consent must be obtained from a parent, guardian, caregiver or another person with legal authority.
What changes have TikTok and YouTube made?
Since the implementation of the Code, both social platform giants have made announcements about how they will handle children’s personal data and account information. This follows a 2019 fine of £4 million for TikTok's illegal collection of personal information from children under 13 years old. It appears that failures were still evident, as the Dutch Data Protection Authority fined TikTok € 750,000 in 2021 for failing to comply with transparency obligations. TikTok have since made changes to safeguard the privacy of children, including only allowing direct messaging for users aged 16 and over. It now allows parents to manage their children’s TikTok account privacy settings from their own phones.
Meanwhile, Google has privacy policies in place for children who use its YouTube platform. This is intended to give younger users more control over their digital footprint.’
Videos uploaded to YouTube by users under 18 years will be set to private by default, meaning that only the user or those they choose can view the content initially. However, the settings can be adjusted if desired.
YouTube will also provide younger users with breaks and bedtime reminders, as well as the option to turn off autoplay features. Virtual platforms are full of risk, so it would be interesting to see how TikTok and YouTube conform to the Code.
Can a child exercise data protection rights? Can a parent act on the child's behalf?
Children have the same rights as adults under the UK GDPR. Data subjects have the right to:
- Be provided with a transparent and clear privacy notice
- Access to their personal data
- Have inaccurate personal data rectified
- Exercise the right to erasure
- Restrict the processing in specified circumstances
- Data portability
- Object to certain processing
- Not be subject to automated individual decision-making, including profiling.
They also have the right to remedies and compensation where their data protection rights have been breached.
A child or young user can exercise their data protection rights if they can understand the nature and implications of those rights. In England and Wales, this is assessed based on the child’s level of understanding rather than their age. However, if a child’s decision could result in significant harm or goes against recognised safeguarding principles, they may not be considered capable of making that decision independently.
The ICO advises that if a child (or young user) is assessed as having the capacity to provide consent, it is generally appropriate to assume they can also exercise their own data protection rights.
A young user who has this level of understanding can also authorise someone they trust, such as a trusted representative, guardian, parent, solicitor or advocate, to act on their behalf.
The ICO further says, that parents and caregivers can exercise these rights on behalf of a young user if the young user authorises them to do so, when the young user does not have sufficient understanding to exercise their rights, or when it is evident that it’s in the best interests of the child.
This applies in all circumstances, including an online context where a parent or caregiver, rather than the child, gives consent.
The ICO provides advice when considering borderline cases, which should take into account:
- Where possible, the child’s level of maturity and their ability to make decisions like this.
- The nature of the personal data.
- Any court orders relating to parental or caregiver access or responsibility that may apply.
- Any duty of confidence owed to the child or young user.
- Any consequences of allowing those with parental or caregiver responsibility access to exercise the child’s rights? This is particularly important if there have been allegations of abuse or ill-treatment.
- What are the potential risks to the child or young user if individuals with parental or caregiver responsibility cannot access this information?
- Any views the child or young user has on whether their parents should have access to information about them.
When do you need to get parental or caregiver consent?
If you offer online services to children based on their consent, you must obtain parental or caregiver consent for children under the age of 13.
Do businesses need to create data maps around any interactions with children's data?
Absolutely.
You need to know:
- Whether you are processing children’s personal data
- Why your organisation is processing children’s data
- How your organisation is processing that data
These are basic questions that you would expect from a DPIA, which all businesses must complete and assess in accordance with the Code.
The ICO provides a DPIA template specifically designed to conform to the Code. This is a complex process, so legal guidance is advisable.
Meeting your legal duties under overlapping regimes
Complying with the Children’s Code means navigating not just a single standard, but a web of interconnected laws. Alongside the Code, your organisation may be subject to the Online Safety Act, the UK GDPR, and now the Data Use and Access Act – each bringing its own set of duties around how children’s data is collected, accessed and protected. This regulatory complexity is especially challenging for digital services accessed by young users.
Whether you’re building new systems or reviewing existing processes, our data protection solicitors can help you assess your compliance position, mitigate risk, and adopt practical solutions that satisfy overlapping legal frameworks, ensuring your service is both safe and lawful.
