Compliance — United Kingdom

The UK Information Commissioner’s Office (ICO) began a 12-month transition period on 2 September 2020 to enforce the Age Appropriate Design Code (Children’s Code), compelling online services likely to be accessed by children to implement high-privacy defaults, data minimization, and safeguards by 2 September 2021. Product, legal, security, and engineering leaders must orchestrate cross-functional programs to classify child users, redesign data flows, and show accountability under the UK GDPR.

Enforcement timeline and regulatory expectations

The transition year that started on 2 September 2020 gave teams until 2 September 2021 to implement the Children’s Code. During this period the ICO expected visible progress: applicability assessments, DPIAs, roadmap publication, and early rollouts of age-appropriate defaults. Post-grace-period enforcement relies on the ICO’s UK GDPR toolkit—information notices, assessment notices, stop-processing orders, and fines up to 4% of global annual turnover. The ICO has signaled active oversight through investigations and actions against platforms whose age assurance, transparency, or data sharing fell short of the code.

Teams should work toward quarterly milestones ahead of any new product launch: (1) scope and risk segmentation, (2) DPIA and design approvals, (3) setup of privacy safeguards, (4) validation and evidence gathering. Coordinate with legal to ensure board-level sign-off for high-risk processing affecting children and to prepare for ICO engagement, including potential participation in the ICO sandbox.

Compliance requirements and technical setup

The Children’s Code contains 15 standards covering best interests of the child, age-appropriate application, transparency, detrimental use of nudge techniques, parental controls, profiling, geolocation, default settings, data minimization, data sharing, connected toys, online tools, and governance. Treat the standards as cumulative: falling short on any material standard can undermine compliance.

Conduct service mapping to determine where children are likely to access the product. Indicators include analytics showing significant under-18 usage, app store categories, marketing materials, and comparisons with similar services. Document applicability decisions in Article 30 records and keep evidence (for example, survey data, regulator guidance) for audit trails. Where services are mixed-audience, design differentiated experiences with gating and content controls to prevent inadvertent exposure of children to adult-facing features.

Operationalize compliance through technical controls. Build configuration flags that enable child-specific defaults: disable precise geolocation, set profiles to private, restrict contact discovery to verified users, and block third-party sharing unless strictly necessary. Implement consent and transparency flows that are concise, age-appropriate, and tested for comprehension. Ensure all data collection events include lawful basis annotations and retention rules, and block telemetry that is not essential for delivering the service.

Age assurance and user journey redesign

Implement proportionate age assurance to distinguish users under and over 18. Combine self-declaration with contextual signals (device settings, language, time-of-day use patterns) while minimising intrusion. For higher-risk use cases—social networking, livestreaming, in-app purchases—layer additional verification such as credit reference checks or third-party age estimation that align with ICO guidance and avoid excessive data retention.

Redesign registration, onboarding, and parental dashboards to provide layered notices with plain language, icons, and just-in-time prompts. Avoid dark patterns that encourage children to weaken privacy protections or overshare data. Offer clear parental controls with audit trails that show when privacy settings were changed and by whom. Ensure exit paths from prompts are equally prominent to avoid nudging toward riskier options.

Data minimization, default privacy, and profiling controls

Inventory every data element collected from child users and challenge necessity. Remove non-essential fields, truncate precise location to coarse regions, and implement automated deletion schedules tied to inactivity or service completion. Configure defaults to maximum privacy: private profiles, disabled public searchability, deactivated ad identifiers, and off-by-default data sharing with third parties. When functionality requires sharing (for example, multiplayer matchmaking), expose clear opt-in controls at the moment of need and log user choices for accountability.

Disable behavioral advertising for child accounts and restrict recommendation systems to content curation that demonstrably serves the best interests of the child (for example, educational progression). Provide accessible toggles for profiling features and record legitimate interest assessments. Where profiling is required for safety (fraud or abuse detection), document necessity and proportionality, and maintain human oversight to reduce adverse impacts.

Security, incident response, and vendor management

Children’s data warrants heightened protection. Enforce multi-factor authentication for administrative access, apply role-based access controls, encrypt data in transit and at rest, and monitor for anomalous access patterns. Incorporate child-specific scenarios into incident response plans, including parental notification templates, rapid ICO reporting procedures, and data minimization steps during containment.

Vet third-party processors, SDKs, and advertising partners to ensure they honor privacy settings and do not transmit child data without lawful basis. Update contracts with child data protection clauses, audit rights, and incident notification timelines aligned to the code. Maintain a vendor register with data flow diagrams, access scopes, and review cadences, and remove unused SDK permissions that could expose children to tracking or profiling.

Compliance validation, testing, and continuous improvement

Run Data Protection Impact Assessments (DPIAs) tailored to child users. Identify high-risk processing—profiling, geolocation, user-generated content visibility—and score mitigations. Incorporate child rights impact assessments to balance commercial objectives with the best interests of the child, referencing UN Convention on the Rights of the Child principles.

Invest in participatory research with children and parents to evaluate comprehension of notices, clarity of parental controls, and usability of privacy settings. Conduct moderated usability studies across age cohorts (7–9, 10–12, 13–15, 16–17) and capture comprehension gaps. Supplement qualitative findings with A/B experiments comparing high-privacy defaults versus legacy experiences, measuring retention, complaint rates, and safety incidents. Feed results into release checklists and regression suites to ensure no privacy regressions are introduced during updates.

Risk mitigation and accountability evidence

Establish governance that links senior accountability to delivery of the Children’s Code. Assign product, engineering, security, and legal owners for each standard. Track progress through dashboards that measure adoption of privacy settings, volume of child safety incidents, time-to-close for user complaints, and training completion rates. Provide regular board updates summarizing residual risks and remediation timelines.

Maintain audit-ready documentation: DPIA outputs, design decision logs, policy updates, incident postmortems, and training records. For global platforms, reconcile UK Children’s Code controls with EU Digital Services Act, forthcoming EU AI Act safeguards, and any local age verification mandates to prevent fragmented experiences. Prepare for ICO inquiries by keeping evidence packages that show how best-interests assessments were made and how child feedback informed design choices.

Communications and stakeholder engagement

Publish clear privacy information for children and parents, including FAQs, video explainers, and accessible complaint channels. Coordinate with customer support to provide scripts and escalation paths for privacy concerns. Engage with industry bodies (techUK, ISBA, UKIE) and child safety NGOs to benchmark practices and stay ahead of evolving guidance. Where appropriate, test new approaches in the ICO’s sandbox to validate proportionality of age assurance or transparency methods.

Follow-up: The enforcement grace period ended in September 2021; the ICO has since taken actions against platforms, including a £12.7 million fine against TikTok in April 2023 for unlawful processing of children’s data, and continues to refine design guidance for immersive and high-risk environments.

You may also find useful

Hand-picked articles on adjacent topics.

Compliance · Credibility 73/100 · October 29, 2020

California Privacy Rights Act (CPRA): Voter Approval of Enhanced Data Protection

California voters approve Proposition 24, the California Privacy Rights Act, expanding CCPA protections with sensitive data categories, data minimization requirements, and creation of a dedicated privacy enforcement…

Compliance · Credibility 88/100 · January 29, 2020

EDPB finalizes GDPR guidelines for video device surveillance

The European Data Protection Board finalized guidelines on video surveillance under GDPR. Key takeaway: legitimate interest is not a free pass—you need proper signage, data protection impact assessments for high-risk…

Compliance · Credibility 71/100 · April 26, 2021

Apple enforces App Tracking Transparency with iOS 14.5 rollout

Apple released iOS 14.5 on 26 April 2021, activating App Tracking Transparency prompts that require user opt-in before apps can access the Identifier for Advertisers or track activity across apps and websites.

Compliance · Credibility 91/100 · June 10, 2021

Compliance — China PIPL

China's PIPL passed in August 2021—their answer to GDPR. Consent requirements, data localization, cross-border transfer controls, and serious penalties. If you process data from Chinese users, this changed everything.

Compliance · Credibility 71/100 · March 25, 2022

EU & US announce Trans-Atlantic Data Privacy Framework

On 25 March 2022 the European Commission and U.S. White House announced a political agreement to create the Trans-Atlantic Data Privacy Framework, outlining new safeguards for EU-U.S. data transfers to replace Privacy…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

September 2, 2020

Coverage pillar

Compliance

Source credibility

84/100 — high confidence

Topics

United Kingdom · Children's Code · Privacy · Product design · Data protection

Sources cited

3 sources (ico.org.uk, iso.org)

Reading time

6 min

Documentation

1. ICO Age Appropriate Design Code (Children's Code) — Information Commissioner's Office
2. ICO — Age appropriate design: a code of practice — Information Commissioner's Office
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization