Background to the Children’s Code

The Government included provisions in the Data Protection Act 2018 for the ICO to create a world-leading code of practice on age-appropriate design that would provide proper safeguards for children when they are online.

The age-appropriate design code is intended to give guidance to organisations about the privacy standards they should adopt when offering online services and apps that are likely to accessed by children.

Organisations should conform to the code and demonstrate that their services use children’s information fairly and in compliance with data protection law. 

A link to the Parliamentary debate, led by Baroness Kidron, is here.

The standards in the code were backed by existing data protection laws which are legally enforceable and regulated by the ICO. The regulator has powers to take action against organisations that break the law including tough sanctions like orders to stop processing data and fines of up to £17million or 4% of global turnover.

The first draft of the code went out to consultation in April 2019. It was informed by initial views and evidence gathered from designers, app developers, academics and civil society.
The ICO also sought views from parents and children by working with research company Revealing Reality.

As part of the ICO’s work to create the code we reviewed and considered existing studies and research brought together here.

The Secretary of State laid the Age Appropriate Design Code to Parliament under section 125(1)(b) of the Data Protection Act 2018 (the Act) on 11 June 2020. The ICO issued the code on 12 August 2020 and it will come into force on 2 September 2020 with a 12 month transition period.

Alongside the AADC itself, the ICO has published complementary guidance on specific questions, such as the application of age assurance technology, what is meant by the term ‘likely to be accessed by children’, and how to design services for children. The ICO refers to this wider suite of guidance products along with the AADC as the Children’s code.

In 2023, the ICO published an evaluation of the impact of the Children’s code. This review found that the code’s:

• pioneering approach has been emulated around the world, including in places like California and Ireland; 
• impact has been reinforced by some large online platforms implementing measures to make their services more suitable for children, often applying them beyond the UK; and 
• related certification schemes are trailblazing and the ICO is leading the way globally on data protection authority approved schemes.

The Children’s code strategy was launched in April 2024 to drive improvements online, in particular on social media and video sharing platforms. The strategy has looked in detail at recommender systems, default privacy settings, including geolocation settings, targeted advertising and how under 13s are protected online through age assurance technology. The strategy was extended to include mobile games in 2025.

Online Safety Act

The Online Safety Act was introduced in 2023, bring new protections for children. Ofcom are responsible for the regulation of this law, and we collaborate with them on issues where online safety and data protection intersect. We have published a joint statement to set out how we will work together on areas of mutual interest to achieve a coherent approach to regulation.