Code of Practice to protect kids’ online privacy


Online service providers in the UK have been told they must meet a set of tough new standards designed to protect children’s privacy.

The Information Commissioner’s Office (ICO) has published its final Age Appropriate Design Code, 15 standards which make clear the responsibilities of, among others, app, social media and games developers, plus educational websites and streaming services.

It covers services likely to be accessed by children and which process their data, and the code will require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website.

‘Best interests of the child’

It means privacy settings should be set to high by default and nudge techniques should not be used to encourage children to weaken their settings. Location settings that allow the world to see where a child is, should also be switched off by default. Data collection and sharing should be minimised and profiling that can allow children to be served up targeted content should be switched off by default too.

Elizabeth Denham, the Information Commissioner, said: “Personal data often drives the content that our children are exposed to – what they like, what they search for, when they log on and off and even how they are feeling.


“In an age when children learn how to use an iPad before they ride a bike, it is right that organisations designing and developing online services do so with the best interests of children in mind. Children’s privacy must not be traded in the chase for profit.”

The ‘best interests of the child should be a primary consideration’ when designing and developing online services, says the code. It also gives practical guidance on data protection safeguards that ensure online services are appropriate for use by children.

“One in five internet users in the UK is a child, but they are using the internet that was not designed for them,” added Denham. “There are laws to protect children in the real world – film ratings, car seats, age restrictions on drinking and smoking. we need our laws to protect children in the digital world too. In a generation from now, we will look back and find it astonishing that online services weren’t always designed with children in mind.”

Statutory process

The standards of the code are rooted in the General Data Protection Regulation (GDPR) and the code was introduced by the Data Protection Act 2018. The ICO submitted the code to the Secretary of State in November and it must complete a statutory process before it is laid in Parliament for approval. After that, organisations will have 12 months to update their practices before the code comes into full effect. The ICO expects this to be by autumn 2021.

This version of the code is the result of wide-ranging consultation and engagement.

The ICO received 450 responses to its initial consultation in April 2019 and followed up with dozens of meetings with individual organisations, trade bodies, industry and sector representatives, and campaigners.

As a result, and in addition to the code itself, the ICO is preparing a significant package of support for organisations.

The code is the first of its kind, but it reflects the global direction of travel with similar reform being considered in the USA, Europe and globally by the Organisation for Economic Co-operation and Development (OECD).

Author: Simon Weedy

Add your comment

characters remaining.

Log in through one of the following social media partners to comment.