Age Appropriate Design Code

Are you designing, developing or providing online services that children are likely to use? Our Age Appropriate Design Code provides a set of 15 standards that online services should meet to protect children's privacy. Online services include apps, connected toys, social media platforms, online games, educational websites and streaming services.

Previous hot topics


Data protection fee letters 

If you are in the care home or the finance sector you may have received a letter from the us about your obligation to pay a data protection fee. If you have already paid your fee you do not need to take any action. If you need to pay or unsure if you do you can find further information here.


'Soft opt in'

You must not send marketing emails or texts to individuals without specific consent. There is a limited exception to this for existing customers – this is known as ‘soft opt-in’.

You can send marketing to existing customers under ‘soft opt-in’ without the usual consent if you can satisfy all of the following;

  1. You obtained the customer’s contact details directly (not from a third party) during a purchase or enquiry about purchasing a similar product or service from you;
  2. They were given the option to opt-out of receiving marketing at the time you took their details, and;
  3. They are given the option to opt-out of receiving marketing in every marketing message sent to them.

Further guidance on electronic mail marketing and the ‘soft opt-in’ can be found on our website.


Cookies and similar technologies

You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given.There is an exception for cookies that are essential to provide an online service at someone’s request (eg to remember what’s in their online basket, or to ensure security in online banking).The same rules also apply if you use any other type of technology to store or gain access to information on someone’s device.

Further guidance can be found on our cookies and similar technologies page


Brexit and data protection

Before Brexit, personal data could be sent to and from other EU states because the UK was a member state of the EU.

Data Protection and the Withdrawal Agreement
Although we are now leaving the EU, there will be a transition period until the end of 2020. During this time you won’t need to make any changes and the GDPR will still apply.

What happens next?
The UK
 is committed to high data protection standards and is seeking ‘adequacy decisions’ from the EU. This would allow personal data to carry on flowing freely between the UK and EU, even after the transition period ends.

We have produced some 
Brexit FAQs that explain the current situation in more detail, and we will be updating our Data Protection and Brexit guidance as appropriate so please keep checking the website. This will help your business to get ready for the end of the transition period.  


Parish councils data protection compliance 
Local government 

Following our work with over 50 town and parish councils across the UK, we’ve developed a suite of resources to help local councils with some of their key data protection issues.


Business-to-business marketing

Does the GDPR apply to business-to-business marketing? What counts as consent? These are just a couple of questions we get about business to business marketing under the new law. Our document about the rules around B2B marketing, the GDPR and PECR answer these and many more.