The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Children’s Code (or the Age Appropriate Design Code) contains 15 standards that online services need to follow. This ensures they are complying with the their obligations under data protection law to protect children’s data online.

Online services covered by the code are wide ranging and include

  • apps;
  • games;
  • connected toys and devices; and
  • news services.

If children are likely to access your service, even if they are not your target audience or user, then you need to consider the Children’s Code.

Who does the code apply to?

The code applies to “information society services likely to be accessed by children”. The definition of an ISS is “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

What this means in practice is that most for-profit online services are ISS, and therefore covered by the code. This includes:

  • apps;
  • programs;
  • search engines;
  • social media platforms;
  • online messaging or internet based voice telephony services;
  • online marketplaces;
  • content streaming services (eg video, music or gaming services);
  • online games;
  • news or educational websites; and
  • any websites offering other goods or services to users over the internet.

Electronic services for controlling connected toys and other connected devices are also ISS.

If your online service is likely to be accessed by children under the age of 18, even if it’s not aimed at them, then you are probably covered by the code. This means you may need to make some changes to how you design your service and how you process personal data to ensure you conform with the code.

Does the code only apply to UK-based companies?

No. The code applies to UK-based companies and non-UK companies who process the personal data of UK children.

What do I have to do to conform with the code?

Things you may need to think about or implement are:

  • Mapping what personal data you collect from UK children.
  • Checking the age of the people who visit your website, download your app or play your game.
  • Switching off geolocation services that track where in the world your visitors are.
  • Not using nudge techniques to encourage children provide more personal data.
  • Providing a high level of privacy by default.

Our guidance on the 15 standards gives you the information you need to get started. You can also watch our refresher webinar here (hosted on YouTube), hear about the importance of the code from Elizabeth Denham on a #kidtech podcast and read a blog from Deputy Commissioner Steve Wood about how businesses can benefit from ICO support when implementing the code.

Are you considering leveraging app publishing platforms (App store, Google Play) to implement children safeguards on mobile apps?

The office plays an active role in supporting data controllers to conform with the code, through a range of guidance and engagement channels. One such channel is through supporting the development of industry-wide standards where appropriate.  We are working with bodies active in this sector, including TIGA, UKIE and the Mobile Games Intelligence Forum. Whilst we would generally support any changes made by app publishing platforms that enable conformance with the code, we are currently focused on providing more direct support to app developers and online services falling under the scope of the code.

Why don’t you adopt the vulnerability by design strategy?

The code recommends a "data protection by design" approach, so to avoid potential confusion caused by similar terms we do not explicitly use a "vulnerability by design" framing within it.  The best interests of the child standard does, however, embody the spirit of vulnerability by design principles. This standard outlines how the UN Convention on the Rights of the Child, which the code is grounded in, is relevant. It says organisations should start with "the intention of providing whatever is best for each individual child" (including those with vulnerabilities), and that organisations should also "support the needs of children with disabilities in line with [their] obligations under the relevant equality legislation for England, Scotland, Wales and Northern Ireland". Online services should also think carefully about potential vulnerabilities when recognising the evolving capacity of the child to form their own views.

Will any updates to the guidance be made in light of Covid-19?

As a statutory code that the UK Parliament approves, we are unable to make changes to the content without re-submitting it via the formal approval process. We don't envisage doing so before the first code review period in autumn 2022. However, we provide supplementary Children’s Code guidance during the transition period (which ends on 2 September 2021) via our hub. For general support for businesses affected by COVID-19, please see our coronavirus information hub.

Implementing the code might need an engineering solution or changes to services. Companies will have to manage this within their product / engineering road maps, which may go beyond the implementation period for the code. What is your view on that? 

We are conscious that the transition period may be a challenge for companies needing to make complex changes to systems or products. Where you can’t conform with the code by the end of the transition period, we would want to see:

  • your road map;
  • how you are addressing the greatest risks to children’s privacy;
  • how you are prioritising development and conformance work; and
  • how and by when you plan to make required changes.

Are there any international cooperation initiatives already in place to ensure a degree of alignment around the requirements?

Whilst the Children's Code is the first of its kind, it reflects the global direction of travel. The USA and Europe are considering similar initiatives. The Organisation for Economic Co-operation and Development (OECD) Recommendation on Children in the Digital Environment was published in May 2021, and the United Nations’ General Comment on Children’s rights in relation to the digital environment has also recently been adopted. We are actively engaging with the Irish Data Protection Commissioner (IDPC) about their Fundamentals for Child-orientated Approach to Data Processing guidance, and with the Federal Trade Commission (FTC), the OECD and other international stakeholders.

Do businesses need to create data maps around any interactions with children's data?

Yes. Understanding where, how and why you use children's data is a fundamental step in completing a data protection impact assessment (DPIA), which all organisations in-scope of the scope of the code must complete. Step two within the DPIA standard provides more details on this mapping process, and we will also be providing further guidance on this area as part of our Childrens code resources for designers which will be published in the summer of 2021.

Within the context of universities speaking to prospective students) You mention geolocation, but we may need to use this to target an international student that can speak in the language of their choice. Any advice would be welcome.

The geolocation standard within the code does not prohibit the use of geolocation data or tracking. Where online services use it, they should ensure that they set these functions to off by default (unless it is essential for a service to function), making it obvious to children where it is active, and switching geolocation tracking off when not in use.

Can online tools be a 're-direct' to external resources e.g. developed by children associations etc.?

"Online tools" in the context of the code only refers only to mechanisms available to children to exercise their data rights under UK data protection law - for example, the right to request a copy of their data, or to have inaccurate data corrected. You should make sure online tools are accessible and prominent. Pointing users to external guidance explaining what their data protection rights are could support this requirement.

Broader "online tools" - for example, those for users to report problematic content or flag a general problem with a service - are beyond the scope of the code.