The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

This code came into force on 2 September 2020, with a 12 month transition period. Organisations should conform by 2 September 2021.

Section 123 of the DPA 2018 says this code must contain:

“such guidance as the Commissioner considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children.”

It defines ‘standards of age-appropriate design’ as:

“such standards of age-appropriate design of such services as appear to the Commissioner to be desirable having regard to the best interests of children.”

The standards are not intended as technical standards, but as a set of technology-neutral design principles and practical privacy features. The focus of the code is to set a benchmark for the appropriate protection of children’s personal data. Different services will require different technical solutions.

You must build the standards set out in this code into your design processes from the start, into subsequent upgrade and service development processes and into your DPIA process.

For more information on how we enforce these standards, see the separate section on enforcement of this code.