The Children's Code (or the age appropriate design code as it is sometimes known) is an internet safety and privacy code of practice created by the Information Commissioner's Office (ICO). It was implemented on 2 September 2020. Compliance with the Code is enforceable under the DPA.

The Code consists of 15 standards that online services need to follow in order to ensure that they are complying with their obligations under data protection law to protect children’s data online. This covers a wide range of areas including:

  • Apps
  • Social media platforms
  • Search engines
  • Online games
  • Connected toys and devices
  • Content streaming services
  • Any websites offering goods and services on the internet for renumeration

The Code applies to any service that is likely to be accessed by children under the age of 18 even if it is not specifically aimed at them. In September 2022, the ICO clarified that the Code also applies to "adults-only" services if those services are "likely to be accessed by a significant number of children".

The code applies to UK-based companies and non-UK companies who process the personal data of UK children.

In order to comply with the code a company will need to meet certain standards and take specific step such as:

  • Ensure that the best interests of children are a primary consideration when their personal information is processed 
  • Ensure robust age verification measures are in place
  • Mapping what personal data they collect from UK children
  • Checking the age of the people who visit the website, download the app or play their game
  • Switching off geolocation services that track where in the world their visitors are
  • Not using nudge techniques to encourage children provide more personal data
  • Providing a high level of privacy by default

The Children’s Code does not typically apply to schools and educational and training institutions processing the information of people under the age of 18 for the purposes of education. It will, however, apply to online educational services which are provided for renumeration.

Businesses offering online services now need to build a Children’s Code Risk Assessment into their accountability requirements, which should take account of the factors raised in the ICO's guidance. This assessment must be documented and supported by evidence where it is decided that the Children’s Code does not apply. 

There are significant consequences for a company where they have not complied with the code. Recently the ICO fined TikTok £12.7 million for misusing children’s data. TikTok failed to have robust age verification measures in place and monitor the use of its platform by under 13s. The ICO also issued an enforcement notice against Snap, in respect of its failure to assess the risks regarding its generative AI chatbot “My AI”.

These fines and sanctions offer a stark warning to any business offering online services which might be accessed by children. They form part of wider action being taken by the government and regulators to safeguard children. This includes the recent implementation of the Online Safety Act.