The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Today the Information Commissioner’s Office opens consultation on 16 standards that online services must meet to protect children’s privacy.

Age appropriate design: a code of practice for online services sets out the standards expected of those responsible for designing, developing or providing online services likely to be accessed by children and which process their data.

When finalised, it will be the first of its kind and become an international benchmark.

Elizabeth Denham, Information Commissioner, said:

“This is the connected generation. The internet and all its wonders are hardwired into their everyday lives. We shouldn’t have to prevent our children from being able to use it, but we must demand that they are protected when they do. This code does that.”

Introduced by the Data Protection Act 2018, the draft code sets out 16 standards of age appropriate design for online services like apps, connected toys, social media platforms, online games, educational websites and streaming services. It is not restricted to services specifically directed at children.

The draft code says that the best interests of the child should be a primary consideration when designing and developing online services. It says that privacy must be built in and not bolted on.

Settings must be “high privacy” by default (unless there’s a compelling reason not to); only the minimum amount of personal data should be collected and retained; children’s data should not usually be shared; and geolocation services should be switched off by default in most circumstances. So-called “nudge techniques” should not be used to encourage children to provide unnecessary personal data, to weaken their privacy settings or carry on using the service longer than they had intended. It also addresses issues of parental control and profiling.

Ms Denham said:

“The ICO’s Code of Practice is a significant step, but it’s just part of the solution to online harms. We see our work as complementary to the current focus on online harms, and look forward to participating in discussions regarding the Government’s white paper.”

The code gives practical guidance on data protection safeguards that ensure online services are appropriate for use by children. It leaves online service providers in no doubt about what is expected of them when it comes to looking after children’s personal data. It helps create an open, transparent and safer place for children to play, explore and learn online.

The standards in the code are rooted in existing data protection laws that are regulated by the ICO. Organisations should follow the code and demonstrate that their services use children’s data fairly and in compliance with data protection law. Those that don’t, could face enforcement action including fines of up to £17million or 4% of global turnover or orders to stop processing data.

Baroness Kidron, who led the parliamentary debate about the creation of the code, said:

“I welcome the draft code released today which represents the beginning of a new deal between children and the tech sector. 

“For too long we have failed to recognise children’s rights and needs online, with tragic outcomes. 

“I firmly believe in the power of technology to transform lives, be a force for good and rise to the challenge of promoting the rights and safety of our children. But in order to fulfil that role it must consider the best interests of children, not simply its own commercial interests. That is what the code will require online services to do. This is a systemic change.”

The code is out for consultation until 31 May. The final version will be laid before Parliament and is expected to come into effect before the end of the year.

The code was informed by initial views and evidence gathered from designers, app developers, academics and civil society. You can read the responses here. 

The ICO also sought views from parents and children by working with research company Revealing Reality. The findings from that work are published for the first time today. 

Notes to Editors

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The Government included provisions in the Data Protection Act 2018 to create world-leading standards that provide proper safeguards for children when they are online.

As part of that, the ICO is required to produce an age-appropriate design code of practice to give guidance to organisations about the privacy standards they should adopt when offering online services and apps that children are likely to access and which will process their personal data. (A link to the parliamentary debate, led by Baroness Kidron, is here.)

The standards in the Code will be backed by existing data protection laws which are legally enforceable and regulated by the ICO. The regulator has powers to take action against organisations that break the law including tough sanctions like orders to stop processing data and fines of up to £17million or 4% of global turnover.

  1. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
  2. Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
  3. The GDPR and the DPA2018 gave the ICO new strengthened powers.
  4. The data protection principles in the GDPR evolved from the original DPA, and set out the main responsibilities for organisations.
  5. To report a concern to the ICO, go to