The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

This code came into force on 2 September 2020, with a 12 month transition period. Organisations should conform by 2 September 2021.

Children are being ‘datafied’ with companies and organisations recording many thousands of data points about them as they grow up. These can range from details about their mood and their friendships to what time they woke up and when they went to bed.

Conforming to this statutory code of practice will ensure that as an organisation providing online services likely to be accessed by children in the UK, you take into account the best interests of the child. It will help you to develop services that recognise and cater for the fact that children warrant special protection in how their personal data is used, whilst also offering plenty of opportunity to explore and develop online.

You have 12 months to implement the necessary changes from the date that the code takes effect following the Parliamentary approval process. The ICO approach to enforcement as set out in our Regulatory Action Policy will apply. That policy and this code both apply a proportionate and risk-based approach. 

The United Nations Convention on the Rights of the Child (UNCRC) recognises that children need special safeguards and care in all aspects of their life. There is agreement at international level and within the UK that much more needs to be done to create a safer online space for them to learn, explore and play.

In the UK, Parliament and government have acted to ensure that our domestic data protection laws truly transform the way we safeguard our children when they access online services by requiring the Commissioner to produce this statutory code of practice. This code seeks to protect children within the digital world, not protect them from it.

The code sets out 15 standards of age appropriate design reflecting a risk-based approach. The focus is on providing default settings which ensures that children have the best possible access to online services whilst minimising data collection and use, by default.

It also ensures that children who choose to change their default settings get the right information, guidance and advice before they do so, and proper protection in how their data is used afterwards. 

You should follow the standards as part of your approach to complying with data protection law. If you can show us that you conform to these standards then you will conform to the code. The standards are cumulative and interlinked and you must implement them all, to the extent they are relevant to your service, in order to demonstrate your conformity.

The detail below the standards provides further explanation to help you understand and implement them in practice. It is designed to help you if you aren’t sure what to do, but it is not prescriptive. This should give you enough flexibility to develop services which conform to the standards in your own way, taking a proportionate and risk-based approach. It will help you to design services that comply with the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR).