UK's Children's Code


Learn more about the UK's Children's Code and how to navigate this challenging regulatory landscape.

Talk to one of our team members 


What is the UK's Children's Code?

The Code is a set of 15 standards that support an online service to build in privacy by design. Any service that is directed to children or likely to attract children needs to comply. This has caused some controversy amongst industry and confusion as to how to define if a service may attract a child. If your online services appeals to children under the age of 18, even if it's not designed for them, you should implement measures to protect them. Age verification, assurance and estimation are all tools to help you know your audience and industry is fast developing user friendly and privacy preserving methods. The GDPR and the Code are risk based so what measures you will need to implement to provide an appropriate experience for children will depend on the nature of the collection and processing of user's personal data. Conducting a data processing impact assessment will help you to understand what data your service collects, map it to a risk and then put the appropriate controls in place.

About UK's Children's Code

GDPR PRIVOAsset 5@4x

The UK's Children's Code came into force in September 2021. It has a statutory footing meaning that the UK's data protection authority, the Information Commissioner's Office (ICO) must take it into account when considering compliance with UK GDPR or the Privacy and Electronic Communications Regulations (PECR). A court must also take the Children's Codes into account where relevant, and it could be used in evidence. Fines for noncompliance with the GDPR can be up to 20 million Euros, UK £18.5 million, or 4% of global annual turnover.

dataAsset 3@4x

The Code is having an impact. Platforms such as Instagram, TikTok and YouTube all implemented changes to comply with some of the Code but not all of it. TikTok turned off notifications for children past bedtime, Instagram disabled targeted adverts for under-18s and YouTube turned off autoplay for teen users.


alertAsset 1@4x

It's also having an impact globally. In the US, Senator Edward Markey and Representatives Kathy Castor and Lori Trahan sent a letter to the CEOs of Amazon, Facebook, Google, Snapchat, TikTok and Twitter urging them to extend privacy protections required under the United Kingdom's Age Appropriate Design Code (AADC) to children and teens in the United States.

How do I comply with the Code?

coppachecklistAsset 4@4x

If you are an online service that is directed to children or is likely to attract children it is vital to take the necessary steps to be compliant or risk a hefty penalty, brand damage and a loss of trust and integrity.

Things to keep in mind..

  • Know your audience – what age ranges are using your service? Until you know this you don't know what the risks are or what controls to put in place to mitigate these risks. Some of the ways to establish age include self-declaration; identifiers; account holder confirmation; age verification, but new methods are in development including the use of AI.
  • Conduct a DPIA to identify all data collected and to understand the risks associated to the data processing. The ICO has a handy template you can use.
  • Include privacy settings which are on by default. For example, a user's account should be set to private and it should allow them to enable and disable public sharing in a platform or community.
  • Provide child friendly accessible privacy and just in time notices letting the child know why the service is asking for information and what it will be used for.
  • Consider the best interests of the child. For example, does the service really need to collect all the personal information it does to provide the experience, introduce warning if the child has been playing for a lengthy period and don't use nudge techniques to push the child into certain behaviors.
  • Switch off geo location unless there is a justifiable and compelling reason to use it. Make sure it is clear to the user if location tracking is on and only use this feature if it is essential to the functioning of the service. Build in measures to ensure that it is turned off and a child's location is not visible to others if it is not required or being used. Of course, a lawful basis for processing this data is required as it is for processing any personal data.

If you follow the standards of the code and bake privacy into your design you will be building brand trust and integrity which in turn supports lifetime value and engagement, a win win.

To keep your business on the right track and avoid hefty penalties, contact our privacy experts today.

Contact Us

PRIVO’s Kid's Privacy Assured Program

PRIVO will support your organization to navigate the complex challenges of the UK's Children's Code.

Work alongside our experts to ensure your services are compliant
while meeting your business or organizational needs.



Contact us for more information

Contact Us