The ICO exists to empower you through information.

About the Children’s code

The age-appropriate design code – or ‘Children’s code’– is a data protection code of practice for online services, such as apps, online games, and web and social media sites, likely to be accessed by children (people under 18) in the UK. It applies to any online services likely to be accessed by a significant number of children, even where they’re aimed at adults.

The code aims not to protect children from the digital world, but instead protect them within it, by ensuring online services are better designed with children in mind. It is a 'how to' guide to help services that process children's information understand how they can comply with the law.

Organisations that do not follow the code could face action by us which includes compulsory audits, orders to stop processing and fines.

Does the code apply to us?

First, you must decide if a significant number of children are likely to access your service, even if it’s not aimed at them.

You could identify whether children are likely to access your service by:

  • carrying out age checks;
  • third party research;
  • considering whether you include content that children like, such as cartoons;
  • considering whether you receive contact or complaints from children or parents; and
  • considering if children are known to like services similar to the ones you’re offering.

Further reading

We have published guidance for ISSs whose service is likely to be accessed by children, even if it is not aimed or targeted at children.

What do we need to do?

If children are likely to access our service, what do we need to do?

1. Put the children first.

  • What’s the age range of people who use our service?
  • What do we know about the age of individual users?
  • How much personal information do we really need?
  • Should we be sharing their personal information?
  • Is it fair to children to use their personal information that way?
  • When we use children’s personal information, how might it affect their privacy, their health or their wellbeing?

2. Give children a high privacy service by default.


  • Optional uses of personal information switched ‘off’ by default.
  • Behavioural advertising switched ‘off’ by default.
  • Privacy settings set to ‘high’ by default.
  • Data sharing limited by default.
  • Showing location to the world ‘off’ by default. 

3. Give children an age-appropriate service even if they change their default settings.

4. Provide age-appropriate communications.

Teddy bear holding sign saying you need to check with a trusted adult before you do this.

5. Provide tools which help children when they need it.

Buttons showing download my data and delete my data options


What if we don’t know how old our users are?

Your approach will depend on what you are doing with the information and what impact that might have on children. Some options are:

  • do some age checks, there are technical measures you can use to do this; or
  • provide a high privacy service to all users by default.

More information and guidance

If you want to understand what the code is all about then this document is a good place to start. We recommend that you consult our more detailed guidance: