ICO Publishes new statutory code to protect children when using online services

Derby Office Icon

The ICO has published its Age Appropriate Design Code (see ICO Code) aimed at protecting children online.

The Code isn’t yet in force (parliament has to approve it first, following which there will be a 12-month transitional period). However, the ICO anticipates that it will come into full effect in the Autumn of 2021, giving organisations affected by the Code a year and a half to get their houses in order.

The Code is tied to the statutory obligations which organisations have under the GDPR and PECR. Consequently, organisations which fail to adhere to the standards set out in the Code will find it difficult to demonstrate that they have met their obligations under the GDPR/PECR. This could result in enforcement action by the ICO and ultimately fines (and as we all know, under the GDPR, the ICO has the power to issue fines of up to €20 million or 4% of annual, worldwide turnover, whichever is the higher).

Who will the Code apply to?

The Code will apply to organisations which provide online products or services for remuneration that process personal data and are likely to be accessed by children. Such products or services will include apps, programs, websites, games and connected toys and devices. Since the Code will apply regardless of whether an online product or service is specifically targeted at children, many online service providers will fall within its remit.

Websites, apps and social media platforms that rely on revenue generated by advertising will fall within the scope of the Code (as such services are generally regarded as being provided for remuneration).

What exactly will the Code do?

The Code will introduce 15 standards of ‘age appropriate design’ which organisations will need to implement in order to ensure that any processing of personal data relating to children complies with the data protection principles and other key rights and requirements under the GDPR.

As well as explaining what each standard means and its purpose, the Code provides organisations with practical guidance on how they can achieve compliance. However, it will be up to individual organisations to assess the risks to children posed by their particular online service or product and implement measures and safeguards appropriate to those specific risks.

What are the standards?

The standards are underpinned by a general requirement that the best interests of the child should be a primary consideration when an organisation designs and develops online services likely to be accessed by a child.

The other standards include:

  • The need to embed a data protection impact assessment (‘DPIA’) into the design of any new online service which is likely to be accessed by children;
  • The need for organisations to apply protections and safeguards which are age appropriate. In order to do so, organisations will generally need to verify the age range of their users. The ICO lists various methods that organisations can use to do this, ranging from self-declaration to third party age verification services. However, the Code advises that self-declaration will only be suitable for low risk processing;
  • The need for organisations to be transparent (i.e. clear, open and honest) with children about their use of personal data. This will include the need to bring clearly drafted privacy information to the attention of children, provide just-in-time notices and present information in a child-friendly way (such as by using diagrams and cartoons);
  • The need to switch geolocation options off by default (unless an organisation can demonstrate a compelling reason for doing otherwise);
  • A requirement that organisations do not disclose children’s data to others (again, unless they can demonstrate a compelling reason to do so); and
  • A requirement that organisations do not use nudge techniques to encourage children to provide unnecessary personal data or turn off privacy protections.

The ICO encourages organisations to read the code in full in order to fully understand how to implement each standard properly. Indeed, bearing in mind that non-compliance with the Code may be used to evidence breaches of the GDPR and/or PECR, we’d urge service providers to get to grips with the Code as soon as possible.

If you’d like any further information, please contact a member of our Information Law Team




Geldards Chairman Appointed Interim Chair At D2N2
Geldards Chairman David Williams has been appointed Interim Chair of D2N2 LEP with immediate effect.The change in role follows the appointment of current Chair Elizabeth Fagan as the interim Marketing Strategy Director for the newly formed NHS Track and Trace.


Beware of non-compliant pre-nuptial agreements.
The recent case of S v H [2020] re-enforces Geldards advice that pre-nuptial agreements signed close to the marriage without a proper process of disclosure and advice are likely to be disregarded by the Court.


Salus – Wealth and Family Protection
Salus Magazine is brought to you by the Private Client team at Geldards to help you protect your wealth and family.


Lowri Phillips


Partner, Cardiff

+44 (0)29 2039 1758


Hayley Lewis


Head of Knowledge Management, Cardiff

+44 (0)29 2039 1785