Comply with the Children's code to protect children's privacy online

Last updated 10 April 2026

The Age Appropriate Design Code, also known as 'the Children's code', is a data protection code of practice for online services that are likely to be accessed by children. For the purposes of the code, a child is any person under the age of 18.

Services covered by the Children's code

The code applies to 'information society services' likely to be accessed by children in the UK. This includes:

• apps
• online games
• connected toys and devices
• search engines
• news services
• streaming services
• social media platforms
• websites that offer goods or services online

The code is not limited to services specifically directed at children. It also covers services not aimed at children if children can access them.

The ICO offers FAQs, a list of factors and case studies to help you decide if children are likely to access your service. You can also use the ICO guide to check if the services you provide are covered by this code.

How to comply with the Children's code

The code is not a new law. It simply applies existing UK data protection law (UK General Data Protection Regulation and Data Protection Act 2018) to children's online services.

The code sets 15 standards you must meet when designing, developing or providing online services likely to be accessed by children.

Standards include:

• Best interests of the child: Make this a primary consideration in designing online services accessed by children.
• Data protection impact assessments (DPIA): Conduct a DPIA to assess and mitigate risks to children's rights, considering age and development needs.
• Age appropriate application: Use a risk-based approach to identify child users or apply standards to all users. Check and implement age verification.
• Transparency: Provide clear, age-suited privacy information and bite-sized explanations at key points.
• Detrimental use of data: Avoid using children's data in harmful ways or against codes, regulations or government advice.
• Policies and community standards: Comply with your published terms, policies and standards.
• Default settings: Set high privacy by default, unless a compelling child-focused reason justifies otherwise.
• Data minimisation: Collect and retain only necessary personal data for active service elements, with separate child choices.
• Data sharing: Disclose data only with a compelling reason focused on the child's best interests.
• Geolocation: Switch it off by default; show active tracking; reset visibility options off at session end.
• Parental controls: Inform children age-appropriately; show when monitoring is active.
• Profiling: Switch off by default; allow only with safeguards against harm.
• Nudge techniques: Do not use to encourage unnecessary data provision or weakened privacy.
• Connected toys and devices: Provide tools for code compliance.
• Online tools: Offer prominent tools for easy data access and deletion, and reporting concerns.

View guidance on all 15 standards.

Standard 1 of the Children's code requires online services to treat the best interests of the child as a primary consideration when designing and developing services. The ICO provides free tools and guidance to help you check this - see best interest self-assessment.

Handling unknown user ages

Standard 3 of the Children's code requires online services likely accessed by children to take a risk-based approach to age assurance. You should assess the risks to children from data processing using your DPIA (consider data types, volume, profiling and sharing) and evaluate your certainty about users' ages or age ranges.

If certainty matches risks, apply code standards to child users only. If not, choose to:

• reduce data risks
• add measures to increase age certainty
• apply standards and high privacy by default to all users, regardless of age

Use the ICO's DPIA template and tools, and their Children's code self-assessment risk toolkit, to help you check if certainty about users' ages matches risks.

Age assurance methods

Choose age assurance methods that match the risks in your online service. For example:

• Self-declaration: Ask users to state their age without proof. Use for low-risk services or with other checks.
• Artificial intelligence: Estimate age from how users interact with your service. Tell users first, collect the minimum data needed and do not use it for other purposes.
• Third-party services: Use external providers for 'yes or no' age checks. Make sure they meet standards like PAS 1296 and tell users about it.
• Account holder confirmation: Let verified adults (like parents) confirm child account ages.

The code suggests other age appropriate applications, depending on the risks associated with your data processing. Higher risks will generally require a greater level of assurance.

The ICO collated several age assurance case studies with real-world examples of different approaches to ensuring age-appropriate services and experiences.

Remember that, if you collect data to check ages, you must keep it to the minimum, use it only for that purpose and delete it when no longer needed. Do not use age data for things like adverts without consent.

Children's code enforcement and fines

The ICO enforces the Children's code through UK GDPR powers. They prioritise action where children face harm or risk from data misuse.

Non-compliance with the Children's code makes it harder to prove your data processing is fair and lawful under UK data protection rules. If you unlawfully process children's personal data, the ICO may take enforcement actions such as:

• warnings and reprimands
• enforcement notices to stop unlawful processing
• fines up to £17.5 million on 4% of global annual turnover (whichever is higher)

If you provide relevant services, you should follow the standards as part of your approach to complying with data protection law. See ICO's detailed children and UK GDPR guidance.

First published 22 March 2021