What Is the Age-Appropriate Design or Children’s Code? 

In today’s digital age, children are at particular risk. Increasingly, children of young ages are accessing a range of online platforms daily, requiring additional safeguards to protect their data and well-being. As such, the UK data protection regulator has implemented the ‘Age-Appropriate Design Code’ (commonly known as the Children’s Code) as an innovative step to protect children online. This article will explore the Children’s Code and its implications for businesses. 

What is the Age-Appropriate Design or Children’s Code? 

The UK General Data Protection Regulation (UK GDPR) is a legal framework governing the handling of personal data, setting critical rules and guidelines for businesses regarding the collection, processing, and storage of such information. It is a set of laws designed to protect individuals’ privacy and ensure that organisations handle their data responsibly. The Data Protection Act 2018 supplements the UK GDPR. 

To help protect children’s personal data, the data protection regulator, the Information Commissioner’s Office (ICO), has published the Age-Appropriate Design Code, most widely known as the ‘Children’s Code’. This is a statutory code prepared under the UK Data Protection Act 2018. 

This code contains 15 standards that online services must adhere to. These standards focus on prioritising the privacy and safety of children in their digital interactions.

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

The Age-Appropriate Design Code applies to ‘information society services’. This will capture many online services likely to be accessed by children, including apps, social media, streaming platforms, and more services. Even if not aimed at children, services used by those under 18 may need adjustments to meet the code’s standards.

Protecting children’s data is vital for numerous reasons. Children are often more vulnerable to privacy breaches and online dangers due to their limited understanding of digital risks. Additionally, their personal information, if mistreated, can have long-lasting adverse outcomes, including identity theft, cyberbullying, and exposure to inappropriate content.

By applying strong measures defined in the Age-Appropriate Design Code, online services can ensure that children’s data is handled carefully and that their online experiences are tailored to their developmental stage. This helps safeguard child privacy and fosters a safer and more trustworthy digital environment for young users.

What Does the Age-Appropriate Design Code State?

The Age-Appropriate Design Code creates a wide-ranging framework for online services prioritising children’s well-being.  

The standards set out fundamental principles to protect the privacy of children, which in simple terms, include the following principles:

• Best interests of the child: This ensures that children’s best interests are a primary concern when designing online services;
• Data protection impact assessments: This requires assessing and mitigating risks by carrying out this risk assessment to ensure compliance with the code;
• Age-appropriate application: This involves applying standards based on user age, with methods for age assurance provided;
• Transparency: This involves providing clear, concise privacy information suited to the child’s age;
• Detrimental use of data: This is around avoiding using children’s data in ways harmful to their well-being;
• Policies and community standards: Organisations must uphold their own published terms, policies, and community standards;
• Default settings: This requires using high privacy settings by default unless necessary;
• Data minimisation: Organisations must collect and retain only necessary data, offering children choices;
• Data sharing: This involves limiting the sharing of children’s data unless there is a compelling reason for the same; 
• Geolocation: This requires that default geolocation options should be off by default, with clear indications when active;
• Parental controls: This requires providing age-appropriate information about parental controls;
• Profiling: Default profiling options should be off, with measures to protect children from harm;
• Nudge techniques: Organisations should avoid using nudge techniques to encourage unnecessary data sharing;
• Connected toys and devices: Practical tools should be used with connected toys and devices to encourage code compliance; and
• Online tools: Organisations should provide accessible tools for children to exercise rights and report concerns.

What Does the Code Mean for Businesses?

 A business may need to take several steps to ensure compliance with the code.

 This may involve taking steps including:

• assessing the personal data collected from children;
• verifying the age of users;
• disabling geolocation services that track users’ locations;
• avoid using nudge techniques to solicit excessive personal data from children;   
• implementing a default high level of privacy protection, e.g. high privacy settings; 
• collecting only minimal amounts of personal data as required from children;
• publish child-friendly privacy policies which child users can understand; and
• carrying out data protection impact assessments to assess the risk to children’s privacy. 

The code’s requirements may seem demanding and challenging to navigate in practice. However, organisations must understand and comply with it. If you need help with how these standards apply to your services, you should seek advice from an experienced data protection solicitor who can support you. 

Key Takeaways 

The protection of children’s data is vital. Businesses should take active steps to align with the code and ensure compliance with its standards. This involves thorough assessments of data collection practices, including mapping out personal data collected from children. Additionally, businesses need mechanisms to verify the age of users accessing their platforms, whether through websites, apps, or games. Measures such as disabling geolocation services and refraining from using manipulative techniques to obtain excessive personal data from children are crucial. 

Further, implementing high-level privacy protection by default is essential to effectively meeting the code’s requirements. By embracing these actions, businesses demonstrate their commitment to safeguarding children online and contribute to building a safer and more trustworthy environment for their child users.

If you need help with UK GDPR compliance, LegalVision’s experienced privacy lawyers can assist you as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.