UK Age Appropriate Design Code finalized with 12-month transition

The UK Information Commissioner's Office published the final Age Appropriate Design Code on 26 August 2020, establishing 15 standards for online services likely to be accessed by children. The code became fully enforceable on 2 September 2021, requiring fundamental changes to how digital services handle children's personal data.

The 15 Standards

Best interests of the child requires services to consider and focus on children's best interests when designing and developing online services. This overarching principle guides interpretation of all subsequent standards.

Data protection impact assessments must assess and mitigate risks to children arising from data processing, with regular reassessment when services change. DPIAs should specifically address child-related risks including exposure to harmful content, contact risks, and commercial exploitation.

Age appropriate application requires different approaches for different age groups, recognizing that a 13-year-old and a 6-year-old require different protections. Services should either design for the youngest likely users or implement age-appropriate differentiation.

Transparency demands privacy information provided to children in age-appropriate language and formats, including short-form notices, videos, and interactive tools that children can understand without adult assistance.

Detrimental use of data prohibits using children's personal data in ways detrimental to their physical or mental wellbeing. This includes manipulative interface design, excessive data collection, and targeted advertising exploiting developmental vulnerabilities.

Default settings must be high privacy by default, with any relaxation requiring affirmative action and clear understanding of consequences. Children should not have to configure privacy settings to achieve baseline protection.

Data minimization limits collection and retention to what is strictly necessary for the service elements children are actually using, not what might be useful for other business purposes.

Data sharing restrictions require appropriate reasons for disclosing children's data to third parties, with transparency about sharing arrangements and safeguards ensuring appropriate use by recipients.

Geolocation must be off by default, with visible signals when location tracking is active. Services should provide easy mechanisms for children to disable location tracking.

Parental controls must be transparent to children, avoiding covert monitoring that undermines trust. Children should understand what controls are active and what information parents can access.

Profiling must be off by default unless there are compelling reasons to enable it and appropriate safeguards are in place. Behavioral targeting of children faces particular scrutiny.

Nudge techniques that lead children toward weaker privacy settings, excessive personal data disclosure, or extended engagement are prohibited. Interface design must respect rather than exploit children's developmental characteristics.

Connected toys and devices must incorporate appropriate data protection features and clearly communicate their data processing to both children and parents.

Online tools must provide prominent, accessible mechanisms for children to exercise data protection rights, including access, correction, deletion, and complaint submission.

Consistent application requires privacy policies and community standards to be consistently applied, with enforcement mechanisms children can access and understand.

Age Estimation Approaches

Services must establish whether users are likely to be children, using proportionate measures such as age declarations, technical estimation methods, or service design approaches. The code does not mandate specific age verification technologies but requires reasonable approaches to identifying child users.

Implementation Implications

If you are affected, audit existing services against the 15 standards, implement privacy-by-default configurations, redesign transparency materials for child audiences, and establish governance processes ensuring ongoing compliance. The code's influence extends beyond UK borders as other jurisdictions consider similar requirements.