The Age-Appropriate Design Code

Protecting Children's Privacy Online

In our increasingly digital world, children are accessing online services at younger and younger ages. From educational apps and gaming platforms to social media and streaming services, the internet has become an integral part of modern childhood. However, with this increased online presence comes heightened risks to children’s privacy and the potential misuse of their personal data.

Recognizing the unique vulnerabilities and developmental needs of children, the UK’s Information Commissioner’s Office (ICO) has introduced the Age-Appropriate Design Code, also known as the Children’s Code. This groundbreaking piece of legislation sets out 15 standards that online services must meet to protect children’s privacy and ensure their best interests are at the forefront of design decisions.

In this article, we’ll delve into the key principles of the Age-Appropriate Design Code and explore best practices for organizations to ensure compliance when processing children’s personal data.

Under the UK's Age Appropriate Design Code, companies must implement robust data protection measures and age-appropriate safeguards when processing personal data of children, failure to do so could result in substantial fines and enforcement actions by the Information Commissioner's Office (ICO).

Understanding the Age-Appropriate Design Code

The Age-Appropriate Design Code is a statutory code of practice under the Data Protection Act 2018, which provides guidance on the design standards that online services must meet to protect children’s privacy. It applies to all online services likely to be accessed by children in the UK, including apps, games, websites, and other digital offerings.

At its core, the Code emphasizes the importance of considering children’s best interests from the outset of the design process, rather than treating them as an afterthought. It recognizes that children are a vulnerable audience and may not fully understand the implications of sharing personal data online.

Implementing Age-Appropriate Design Principles

Complying with the Age-Appropriate Design Code requires a comprehensive approach that spans all aspects of an online service’s design, development, and operation. Here are some best practices organizations can follow:

1. Conduct a Data Protection Impact Assessment (DPIA)
Before launching an online service that may be accessed by children, organizations must conduct a DPIA to identify and mitigate potential risks to children’s privacy. This assessment should consider the service’s data processing activities, the types of personal data collected, and the potential impacts on children’s rights and freedoms.

2. Implement Privacy by Design and Default
Privacy should be embedded into the design and architecture of online services from the onset, rather than being an afterthought. This means implementing default settings that prioritize privacy protection, minimizing data collection, and providing age-appropriate privacy information and controls.

3. Tailor Privacy Information and Controls
Privacy notices, settings, and controls should be tailored to the age and developmental stage of the intended audience. For younger children, this may involve using simple language, visual aids, and interactive elements to convey privacy information in an engaging and understandable manner.

4. Obtain Verifiable Parental Consent
For online services targeted at children, organizations must obtain verifiable parental consent before processing personal data. This consent should be obtained through a clear and affirmative action, such as completing an online form or providing verifiable credentials.

5. Minimize Data Collection and Retention
Only collect and retain personal data that is strictly necessary for the service’s intended purpose. Implement data minimization techniques and regularly review and delete unnecessary personal data, particularly when it comes to children’s information.

6. Protect Children from Detrimental Use of Data
Online services should not use children’s personal data in ways that could lead to detrimental effects, such as commercial exploitation, behavioral advertising, or exposure to inappropriate or harmful content. Implement robust safeguards and content moderation practices to protect children’s well-being.

7. Provide Clear Age-Appropriate Reporting and Support
Offer age-appropriate reporting mechanisms and support channels that allow children and their parents/guardians to easily report concerns, request access to personal data, or exercise their rights under data protection laws.

8. Continuously Monitor and Review
Regularly review and update privacy practices, settings, and controls to ensure they remain age-appropriate and aligned with the latest guidelines and best practices. Continuously monitor online services for potential risks and take proactive measures to address any issues that arise.

Compliance with the Age-Appropriate Design Code is not a one-time exercise but rather an ongoing commitment to prioritizing children’s privacy and best interests throughout the lifecycle of online services. By implementing these best practices, organizations can demonstrate their dedication to protecting children’s personal data and fostering a safe and secure online environment.

Penalties for Non-Compliance

It’s important to note that failure to comply with the Age-Appropriate Design Code can result in significant penalties and enforcement actions by the ICO. Depending on the severity of the non-compliance, organizations may face fines, audits, enforcement notices, and even potential criminal prosecution in the most egregious cases.

By taking a proactive approach and implementing age-appropriate design principles from the outset, organizations can not only mitigate legal and financial risks but also build trust with their users and position themselves as responsible stewards of children’s personal data.


As the digital landscape continues to evolve, protecting children’s privacy online has become a paramount concern. The Age-Appropriate Design Code represents a significant step forward in ensuring that online services prioritize the best interests of children and safeguard their personal data.

By following the Code’s standards and implementing age-appropriate design principles, organizations can create online experiences that are both engaging and secure for their youngest users. Continuous monitoring, review, and a commitment to privacy by design and default will be crucial in maintaining compliance and fostering a safer digital environment for children.

Embracing the Age-Appropriate Design Code is not just a legal obligation but a ethical responsibility for any organization operating in the online space. By putting children’s privacy and well-being at the forefront, we can empower them to explore the digital world with confidence and protect their rights as they navigate the online realm.

If you are the owner of a website or a mobile application and want to create a Privacy Policy that will comply with the law – our website: “Online Business” may be useful.

If you are the owner of a website or mobile application and you are not sure whether the Privacy Policy published by you is lawful – our service: “UK GDPR Consultation” may be useful.

Have a question?

Go to our service page if you need a consultation or other help related to UK GDPR

Our Service
Scroll to Top
Cookie Consent with Real Cookie Banner