Governance Briefing — UK Age Appropriate Design Code finalized
The UK Information Commissioner’s Office confirmed the final Age Appropriate Design Code, setting 15 standards online services must follow when processing children’s data, including data minimization, geolocation and profiling controls, and high-privacy defaults.
Executive briefing: The UK ICO published the final Age Appropriate Design Code on . The statutory code sets 15 design and governance standards for online services likely to be accessed by children, covering data minimization, profiling, geolocation, parental controls, and default privacy settings. Organizations have a 12-month transition to embed the code before enforcement.
What changed
- Default settings for child users must be set to high privacy with data sharing, profiling, and geolocation switched off unless necessary.
- Services must apply data minimization, avoid nudging children toward weaker privacy, and provide age-appropriate explanations of data use.
- Governance expectations include DPIAs focused on children’s risks and robust controls around connected toys and devices.
Why it matters
- Establishes detailed guardrails for services under the GDPR/UK Data Protection Act that design for or are likely used by children.
- Impacts consent mechanisms, telemetry collection, and personalization defaults across consumer apps, games, and IoT products.
- Non-compliance risks enforcement actions and reputational damage in a high-scrutiny area of digital policy.
Action items for operators
- Assess whether products are likely to be accessed by children and update DPIAs to address profiling, geolocation, and data sharing risks.
- Implement age-appropriate transparency, parental control options, and default-off settings for data sharing and advertising features.
- Revisit retention schedules and data minimization rules for child profiles, connected devices, and analytics pipelines.