The ICO’s ‘Children’s Code’

The Legal Digest
3 min readSep 20, 2021


The Information Commissioner’s Office (“ICO”) ‘Age Appropriate Design Code’ (the “Code”) came into force on 2 September 2021.

Photo by Julien BRION from Pexels

The Code contains a set of standards for designing and providing online services to ensure that they safeguard the personal data of children (being any individual under the age of 18) and requires certain information society service (“ISS”) providers, to comply with these standards.

Who does the Code apply to?

The code applies to ISS providers offering services such as apps, websites, content streaming services, and electronic services for controlling connected toys, which are likely to be accessed by children.

The code applies to online services based in the UK and also online services based outside the UK with a branch, office, or other establishments in the UK and processing personal data in the context of the activities of that establishment.


The ICO has the power to issue fines of up to £17.5 million or 4% of annual worldwide turnover, whichever is higher.

Requirements under the Code

The key requirements under the Code are summarised below:

Best interests of the child

ISS providers should consider how their use of a child user’s personal data can, amongst other things:

  • keep them safe from exploitation risks, including commercial or sexual exploitation;
  • protect and support their physical, psychological, and emotional development and health;
  • protect and support their need to develop their own views and identity and their right to freedom of association and play; and
  • recognize the role of parents in protecting and promoting the best interests of the child and support them in this task.

Data protection impact assessment

Data protection impact assessments (“DPIA”) help identify and minimise data protection risks that arise from the processing of the personal data of children likely to access the ISS.

Age-appropriate application

ISS providers should ensure that all children are protected and so the level of protection should be appropriate for their age. ISS providers can use third-party age verification services or use artificial intelligence to assess the user’s age by analyzing the way in which they interact with the service.

Data minimization

ISS providers should only collect the minimum amount of personal data needed to deliver the element(s) of the ISS in which the child is actively and knowingly engaged.


Geolocation tracking options should be turned off by default (unless you can demonstrate a compelling reason for the setting to be turned on by default, taking account of the best interests of the child).

Parental controls

Parental controls, whilst an important way of helping parents to protect their child’s best interests, impact upon the child’s right to privacy. Age-appropriate information should be provided to notify the child to the fact that parental controls are in place, including an alert when any parental monitoring or tracking is in place.

The Code introduces further penalties under the data protection framework equivalent to the level of sanctions under the GDPR and UK DPA 2018. As we move into the digital world this is an indication of the way that the ICO ensures the responsibility of ISS providers in ensuring that their products are designed so that data subjects are protected.



The Legal Digest

Insights and commentary on law and business @the_legal_digest