How to comply with the Children’s Code

Lesley O'Neill

Lesley O'Neill

Guest author from UK

If your company provides services likely to be accessed by children in the UK, the Children’s Code will apply. The new law aims to better protect children’s data when they are online. Our guide explains all you need to know about the Children’s Code for UK companies and non-UK companies with a branch, office or establishment in the UK.



What is the Children’s Code?

The Children’s Code (formally entitled the ‘Age Appropriate Design Code’) is a statutory code of practice under the Data Protection Act 2018 (DPA 2018) requiring organisations to provide better online privacy protections for children. It came into force on 2 September 2020 and aims to ensure that children automatically have a baseline of protection by design and default. Importantly, it is not limited to services specifically directed at children.

Does the Children’s Code apply to my organisation?

According to the Information Commissioner’s Office (ICO) the code applies to organisations (‘information society services’) providing online services and products likely to be accessed by children up to age 18. As the code is risk based, it does not apply to all organisations in the same way. Your organisation is more likely to have to take steps to conform with the code if you are responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services that use, analyse and profile children’s data.

Therefore, all of the major social media and online services used by children in the UK will need to conform to the code.

How do you know if services are ‘likely to be accessed by children’?

If your service is designed for and aimed at under-18s the code applies. However, even if your services are not specifically targeted at children, but are likely to be used by under-18s, it will apply (s.123 of the DPA). In practical terms, whether or not your service is likely to be accessed by children will depend on:

  • the nature and content of the service and whether it particularly appeals to children;
  • how the service is accessed and measures you have put in place to prevent children gaining access.

Enforcement and fines for the Children’s Code

Organisations should conform with the code by 2 September 2021. If at the end of this period, the ICO has concerns about the way in which children’s personal data is being used, or receives a complaint, it will investigate. If organisations fail to comply, the ICO has the power to conduct compulsory audits, issue orders to stop processing and apply fines of up to 4% of global turnover.

What to do next

The code applies to both new and existing services. We recommend that you:

  • Review your existing services to establish whether they are covered.
  • Review your data protection impact assessment (DPIA) or conduct a new one as soon as possible. If your services are covered, you should already have a DPIA as required under the GDPR.
  • Assess whether your organisation conforms with the standards in the code.
  • Identify additional measures you need to take to conform.

Further information and guidance can be found at the ICO’s new web hub.

Let us help with your data protection needs

Our team of specialist data protection lawyers can provide support on all of your company’s data protection needs, including reviewing:

  • Your existing services to ensure that they comply with regulatory standards
  • Your DPIAs (or conducting new ones)
  • The measures you have taken to protect and secure the personal data you process

We will identify any additional measures you need to take now and provide detailed recommendations on how to implement them. Click here to see all of our data protection support services.


Contact us!