The ICO exists to empower you through information.

The Children’s code (or the Age appropriate design code) contains 15 standards that online services need to follow. This ensures they are complying with their obligations under data protection law to protect children’s data online.

Online services covered by the code are wide ranging and include

  • apps;
  • games;
  • connected toys and devices; and
  • news services.

If children are likely to access your service, even if they are not your target audience or user, then you need to consider the Children’s code.

Who does the code apply to?

The code applies to “information society services likely to be accessed by children”. The definition of an ISS is “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

What this means in practice is that most for-profit online services are ISS, and therefore covered by the code. This includes:

  • apps;
  • programs;
  • search engines;
  • social media platforms;
  • online messaging or internet based voice telephony services;
  • online marketplaces;
  • content streaming services (eg video, music or gaming services);
  • online games;
  • news or educational websites; and
  • any websites offering other goods or services to users over the internet.

Electronic services for controlling connected toys and other connected devices are also ISS.

If your online service is likely to be accessed by children under the age of 18, even if it’s not aimed at them, then you are probably covered by the code. This means you may need to make some changes to how you design your service and how you process personal data to ensure you conform with the code.

Does the code only apply to UK-based companies?

No. The code applies to UK-based companies and non-UK companies who process the personal data of UK children.

What do I have to do to conform with the code?

Things you may need to think about or implement are:

  • Mapping what personal data you collect from UK children.
  • Checking the age of the people who visit your website, download your app or play your game.
  • Switching off geolocation services that track where in the world your visitors are.
  • Not using nudge techniques to encourage children provide more personal data.
  • Providing a high level of privacy by default.

Further help and resources are available on our additional resources page

Does the Children’s code apply to schools?

No, the Children’s code does not apply to schools and educational and training institutions processing the information of people under the age of 18 for the purposes of education.

To be defined as an ISS, you must meet several qualifying conditions which are set out in the code (see our guidance on the services covered by the code). Schools do not meet the definition of an ISS.

However, Standard 1 of the code – to ensure that the best interests of children are a primary consideration when their personal information is processed – closely aligns with schools’ own duties. Schools must comply with your obligations under UK GDPR and the DPA 2018. The code sets out what good practice compliance looks like in the specific areas it covers. Schools should aspire to meet the code’s 15 standards as general good practice.

Does the Children’s code apply to edtech services used in schools?

The Children’s code may apply to providers of edtech used in schools.

Although the code does not apply to schools, an edtech service used in or by a school can still satisfy the definition of an ISS. In these circumstances, the provider of the edtech service may be in scope of the code. For further information, see our guidance on The Children’s code and education technologies (edtech).

What about online schools or education?

The Code will apply to providers of online schools and education if their services are usually provided for remuneration, at a distance, by electronic means and at the request of the end user (i.e. child or their parents).

What about government or local authorities?

A public authority which provides an online public service that is not typically provided on a commercial basis is not a relevant ISS. This is because it is not a service ‘normally provided for remuneration’.

In the context of the provision of educational services, government and local authorities are not relevant ISS and the code does not apply to them.

However, where you have a role in deciding which edtech services are used in educational institutions, it is important that your relationships with schools and edtech providers are clearly defined. Our guidance on controllers and processors has more information.

Where government or local authorities exercise a degree of decision-making in how personal information is used and for what purposes, you may assume the role of a controller. For example, if you are involved in procuring the edtech services used by schools. In these circumstances, you must comply with your respective obligations as a controller. For example, you should undertake the necessary due diligence of the edtech services and providers to discharge your obligations under UK GDPR and DPA 2018.