GovernanceUK Age Appropriate Design Code finalized
Building anything online that kids might use? The UK's Age Appropriate Design Code is now final, and it is broad—if children could realistically access your service, you are covered. That means high-privacy defaults, geolocation off by default, no profiling for ads, and 12 more standards. You have got a year to comply before enforcement starts.
Verified for technical accuracy — Kodi C.
The UK Information Commissioner's Office (ICO) published the final Age Appropriate Design Code on 21 January 2020. This statutory code of practice, also known as the Children's Code, establishes 15 design and governance standards that online services likely to be accessed by children must follow when processing their personal data. The code covers data minimization, profiling restrictions, geolocation controls, parental oversight mechanisms, and mandatory high-privacy default settings. Organizations have a 12-month transition period to implement the code before enforcement starts, requiring immediate attention to product design, data practices, and governance frameworks.
The 15 Standards of the Code
The Age Appropriate Design Code establishes full requirements across five key areas: transparency, data use, safety by design, governance, and enforcement. Standard 1 requires organizations to consider the best interests of the child as a primary consideration when designing and developing online services. Standard 2 mandates Data Protection Impact Assessments (DPIAs) that specifically assess and mitigate risks to children of different ages. Standard 3 requires age-appropriate application, meaning services must establish the age of users with a level of certainty appropriate to the risks.
Standards 4 through 8 address transparency and data use. Organizations must provide privacy information in clear, age-appropriate language that children can understand. Published terms and policies must be upheld without using deceptive design patterns that encourage children to provide more personal data than necessary or weaken their privacy protections. Data minimization requirements ensure that only the minimum amount of personal data necessary is collected and retained.
Standards 9 through 12 focus on data sharing, geolocation, parental controls, and profiling. Data sharing must be switched off by default unless compelling reasons justify enabling it. Geolocation services must be off by default and provide clear notifications when activated. Parental control options must be provided while respecting children's evolving capacity for autonomous decision-making. Profiling must be switched off by default unless essential to the core service, with restrictions on profiling for marketing or targeted advertising purposes.
Standards 13 through 15 address nudge techniques, connected toys, and online tools. Services must not use design features that exploit psychological vulnerabilities to encourage children to weaken privacy settings or provide additional personal data. Connected toys and devices must implement appropriate security measures and minimize data collection. Children must have access to effective tools for exercising their data protection rights.
Scope and Applicability
The code applies to online services likely to be accessed by children under 18, regardless of whether the service specifically targets children. This broad scope captures social media platforms, gaming services, streaming media, educational platforms, connected toys, news websites, and general audience services where children realistically constitute part of the user base. Organizations cannot avoid the code simply by stating for service that children should not use the service if that restriction is not effectively enforced.
Determining whether a service is likely to be accessed by children requires assessment of the nature of the service, its marketing approach, user demographics where known, and design features that might appeal to children. Services that actively attract children through game-like elements, animated content, or child-relevant subject matter face higher compliance expectations. However, even business-oriented services may fall within scope if children realistically access them for school projects, information gathering, or parental account usage.
International organizations must consider the code's extraterritorial reach. The code applies to services available in the UK regardless of where the service provider is located. Organizations operating globally may find it efficient to implement code requirements as baseline standards across all markets, particularly given similar regulatory trends in other jurisdictions including the United States (COPPA updates), European Union (Digital Services Act), and California (CCPA modifications for minors).
Business Impact and Implementation Challenges
Implementing the code requires significant investment in product design, technical infrastructure, and governance processes. Age verification or estimation mechanisms must balance accuracy requirements against usability concerns and the privacy implications of collecting additional data for verification purposes. Organizations must evaluate whether existing age-gate approaches provide sufficient confidence or whether improved methods such as AI-based age estimation or identity verification services are necessary.
Default privacy settings represent a fundamental shift for many services that rely on data collection and sharing for business models. Advertising-supported services face particular challenges as restrictions on profiling and targeting limit revenue potential from child users. Organizations must evaluate whether maintaining child audiences remains economically viable or whether excluding younger users through verified age restrictions is preferable.
Technical setup of granular privacy controls requires engineering investment to enable different privacy configurations for different user categories. Systems must distinguish between child and adult users, apply appropriate defaults, and respect user preferences while preventing bypassion. Integration with consent management platforms, analytics systems, and advertising technology requires careful coordination to ensure consistent application of privacy settings.
Governance and Documentation Requirements
Organizations must establish governance structures that ensure ongoing compliance with the code. This includes designating responsible personnel, establishing review processes for new features and services, training staff on child-specific privacy requirements, and documenting compliance activities. Boards and senior leadership should receive regular reporting on children's privacy risk management.
Data Protection Impact Assessments must specifically address children's privacy risks across all age ranges likely to access the service. DPIAs should consider developmental differences between young children, pre-teens, and teenagers, recognizing that appropriate protections vary significantly across these groups. Regular DPIA reviews ensure assessments remain current as services evolve and user demographics shift.
Record-keeping must show compliance through documented policies, technical specifications, risk assessments, and audit trails. If you are affected, maintain evidence of design decisions, the rationale for data collection practices, and measures taken to minimize risks to children. This documentation supports regulatory engagement and provides evidence of good faith compliance efforts.
Enforcement and Consequences
The ICO has authority to enforce the code through the full range of regulatory tools available under UK GDPR and the Data Protection Act 2018. This includes assessment notices, enforcement notices, and administrative fines up to £17.5 million or 4% of global annual turnover for serious violations. The ICO has showed that children's privacy will be an enforcement priority, signaling active monitoring and investigation of potential violations.
Beyond regulatory enforcement, non-compliance creates reputational risks in an area of high public concern. Media coverage of children's privacy incidents attracts significant attention and can damage brand trust with parents and families. Organizations operating in children's markets face particular sensitivity where privacy failures could drive customers to competing services.
The code's status as a statutory code of practice means that organizations must either comply with its standards or show that alternative measures achieve equivalent outcomes. This flexibility acknowledges that prescriptive requirements may not suit all contexts, but places the burden on organizations to justify departures from the code's specific standards.
Continue in the Governance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Board Oversight Governance Blueprint
Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.
-
Governance, Risk, and Oversight Playbook
Operationalise board-level governance, risk oversight, and resilience reporting aligned with Basel Committee principles, ECB supervisory expectations, U.S. SR 21-3, and OCC…
-
Third-Party Governance Control Blueprint
Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.
Cited sources
- Age appropriate design: a code of practice for online services — Information Commissioner’s Office
- ICO publishes final Age Appropriate Design Code — Information Commissioner’s Office
- ISO 37000:2021 — Governance of Organizations — International Organization for Standardization
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.