UK Children’s Code: Age‑Appropriate Design Made Simple

If your business provides a website, app, online game, or any digital service that could be accessed by children in the UK, there’s an essential set of rules you need to know about: the Children’s Code, officially called the Age Appropriate Design Code. Even if children aren’t your main target, the law expects you to treat children’s data with special care. That means new responsibilities – and some real changes to how you design and run your services. Don’t stress – with a bit of practical knowledge, you can ensure your business is both legally compliant and trusted by families. In this guide, we’ll explain, in plain English, what the Children’s Code is, who it applies to, what you actually need to do, and how it fits within the UK’s broader data privacy landscape. Let’s break it all down – keep reading to find out how to keep your digital services safe, age-appropriate, and compliant from day one.

What Is the Children’s Code and Who Does It Apply To?

The Children’s Code – also known as the Age Appropriate Design Code – is a set of 15 flexible standards published by the UK’s Information Commissioner’s Office (ICO). Its core aim? To protect the privacy, safety, and wellbeing of all under-18s when they use online services. It’s not just about child-focused sites. The Code applies to any online service that is “likely to be accessed by children”, including:

• Websites
• Online games
• Apps (including educational or health apps)
• Social media platforms
• Online marketplaces and e-commerce sites
• Connected toys and “Internet of Things” devices

If children in the UK could realistically use your service – even if you’re not specifically targeting them – you need to comply. You might still be responsible even if you’re based outside the UK, as long as your service is available to UK children. What sets the Code apart is its focus: the best interests of the child must come first, ahead of commercial interests. This means designing every aspect of your online service with child privacy and wellbeing in mind from the outset. You can learn more about general data privacy obligations for UK businesses in our article on GDPR compliance.

Why Was the Children’s Code Introduced?

Kids are spending more time than ever online, often using services aimed at adults or general audiences. But children may not fully understand the trade-offs around privacy, targeted advertising, or how their data could be used or misused. The Code was developed to address these risks, putting a legal framework in place so tech companies and online service providers cannot “nudge” children into giving up more data than needed, or expose them to inappropriate features. The Code supports the UK’s Data Protection Act 2018 and the “UK GDPR,” giving legal teeth to principles that protect children’s personal data. Non-compliance could mean serious regulatory action from the ICO – including large fines and public censure.

What Are the 15 Standards at the Heart of the Children’s Code?

Unlike many regulations, the Children’s Code does not set out prescriptive, one-size-fits-all rules. Instead, it offers 15 flexible standards. Meeting these standards means adapting them to your service, but you must be able to show how you’ve factored each one in. Here’s a summary of the headline points:

1. The best interests of the child: Make children’s wellbeing, safety and privacy your top priority in all decisions.
2. Data minimisation: Collect and keep only what’s absolutely needed for your service. No more, no less.
3. Age appropriate application: Make an effort to identify the ages of users so you can apply protections based on developmental stages.
4. Transparency: Policies, explanations, and settings must be clear and accessible to children of all ages (and their parents).
5. Detrimental use of data: Never use children’s data in ways that could harm, mislead or exploit them.
6. Policies and community standards: Clearly set out standards and stick to them in practice.
7. Default settings: Set the highest privacy settings by default for anyone under 18.
8. Data sharing: Don’t transmit children’s data to third parties unless you really need to – and can justify it.
9. Geolocation: Switch off geolocation by default. If you do enable it, make it obvious and allow users to turn it off.
10. Parental controls: If parental controls are part of your service, make sure both parents and children know how and when activity could be monitored.
11. Profiling: Prevent profiling and automatic decision-making unless strictly necessary, and switch it off by default.
12. Nudge techniques: Avoid “dark patterns” or design tricks that encourage children to share more than they need to, or make risky choices.
13. Connected toys & devices: If your product is a device, its online elements must also meet the Code.
14. Online tools: Provide clear tools for children to exercise privacy rights (like deleting their data or changing settings).
15. Data protection impact assessments (DPIAs): Proactively assess privacy risks and show how you’re reducing them.

For a more in-depth look at these principles, visit the ICO’s official guidance, or feel free to contact us for clarification.

What Does “Likely to Be Accessed by Children” Actually Mean?

A crucial aspect of the Children’s Code is that it covers services “likely to be accessed by children” – a deliberately broad definition. This can catch out businesses that assume their online services aren’t for kids, but which are still attractive or accessible to under-18s. The ICO says “likely” means there’s more than just a minimal chance that children will access your service. In most cases, this includes:

• General websites, apps, games, or platforms open to the public
• Educational, health, gaming, entertainment or social services – even those focused on adults
• Services that use marketing, images or layout likely to appeal to children

Even if your analytics indicate a mainly adult audience, you shouldn’t rely on age declaration alone. The bar is set deliberately high. If in doubt, it’s safest to assume your service needs to comply. Worried about how this impacts your online business? You can read more about related online business legal requirements.

What Do I Actually Need To Do To Comply With the Children’s Code?

If your website, app or service is caught by the Code, you need to take several practical steps. Here’s what compliance might involve:

1. Conduct an Age Assessment

Work out whether children are likely to access your service. Use reasonable measures to estimate audiences, such as analysing website data, checking marketing materials, or user research.

2. Implement High Privacy by Default

All privacy settings for children must be set to the highest level by default unless there’s a compelling reason otherwise. For example, don’t make profiles automatically visible or collect extra data “just in case.” This aligns with the UK GDPR’s principle of data minimisation.

3. Make Privacy Information Child-Friendly

Translate your Privacy Policy and terms into plain language, with explanations suited to the child’s age group. Avoid complex legal jargon, and keep explanations concise and visual where possible.

4. Turn Off Geolocation and Profiling by Default

Don’t collect or share location data, or profile (track and segment) users for behavioural advertising, unless you have a legitimate compelling reason that’s in the child’s best interests. Switch these features off by default; if you must use them, make it prominent and easy to disable.

5. Limit Data Sharing and Collection

Only collect data you absolutely need to provide your service. Don’t share it with third parties unless you have robust, clear grounds and controls in place. If you’re unsure when you can share customer data, our guide on customer data protection is a useful resource.

6. Build in Tools to Enable Children to Exercise Privacy Rights

Provide easy-to-use options for kids to delete accounts, withdraw consent, or request their information. These tools should be just as clear and easy to use as any part of your service.

7. Review and Redesign User Interfaces

Avoid manipulative design that “nudges” children into sharing more than necessary. Don’t put the “accept all cookies” or data sharing buttons in bold and make the privacy-protecting ones obscure.

8. Parental Controls: Be Transparent

If you use parental controls or age assurance, make it clear to both children and parents when activity may be monitored. Explain what’s being monitored and why in ways children can understand.

9. Review Third-Party Integrations

Check any plugins, software, or partners (such as advertising networks) comply with the Code’s principles too. You’re responsible for your whole service – not just the parts you directly manage.

10. Carry Out and Document a Data Protection Impact Assessment (DPIA)

You’re required under the Data Protection Act and GDPR to assess privacy risks whenever you introduce any feature that processes children’s data. Consider how you’ll justify the choices you make and keep a written record of your assessment and decisions. Staying compliant also means keeping policies and practices under active review as technology and your service evolve.

How Does the Children’s Code Relate to Other Data Protection Laws?

The Children’s Code doesn’t stand alone. It operates within the framework of the UK GDPR and Data Protection Act 2018. Following the Code helps you meet the higher standards expected when processing children’s data. But if you mishandle data, you could still fall foul of broader legal requirements. Bear in mind, the Code raises the bar for privacy and safety for under-18s. Where standard GDPR or Data Protection Act rules may be looser for adults, for children, you must take extra precautions at every stage – from design, to launch, to ongoing operations.

What Happens If My Business Doesn’t Comply?

The ICO takes children’s online privacy very seriously. Non-compliance can lead to a range of actions:

• Formal investigation by the ICO
• Enforcement notices – requiring you to fix issues within a set time frame
• Reputational damage, since breaches may be publicised
• Potential fines (up to 4% of global annual revenue for GDPR breaches)

But it’s not just about avoiding penalties. Getting it wrong can mean children’s data – and trust – is lost, sometimes permanently. That can spell real damage to your brand and business growth.

What Are the Practical Steps for Businesses to Take?

Here’s a checklist for making sure you’re on the right side of the Children’s Code:

• Audit your services: Identify if children are likely users and map out all data flows.
• Update your privacy policy and make it child-friendly.
• Set privacy options to the highest level by default.
• Review and redesign user interfaces to avoid “dark patterns.”
• Cut out non-essential data collection and sharing.
• Switch off geolocation and profiling for children unless absolutely necessary – and justify why if you can’t.
• Assess and record risks using a documented DPIA.
• If relevant, implement age verification mechanisms thoughtfully (don’t just tick a check box).
• Train your staff in child-friendly data handling and privacy awareness.
• Check your contracts with partners, platforms or advertisers also meet Code requirements – see our resources on legal documents for business.

If you’re unsure what changes to prioritise, or how to document your compliance, it’s a great idea to get tailored legal advice. Sprintlaw can review your online service, help you update policies and contracts, and ensure you’ve taken all necessary steps.

Frequently Asked Questions About the Children’s Code

Does The Children’s Code Only Apply To “Child” Services?

No – it applies to any online service deemed “likely to be accessed by children.” This includes adult-focused websites, e-commerce sites, and general services unless access by children can genuinely be ruled out. When in doubt, err on the side of caution.

What Ages Are Covered?

The Code covers anyone under 18. The ICO recommends tailoring protections based on common developmental stages:

• 0-5 years
• 6-9 years
• 10-12 years
• 13-15 years
• 16-17 years

You’ll need to keep these bands in mind when designing privacy controls and information.

Is This Only For UK Businesses?

No – businesses based outside the UK must also comply if UK children are likely to access their services. This “territorial scope” is similar to the UK GDPR.

Key Takeaways: Children’s Code Compliance Made Simple

• The Children’s Code (Age Appropriate Design Code) is legally binding for all digital services “likely to be accessed by children” in the UK.
• It introduces 15 flexible standards, including requirements for default privacy, clear child-friendly policies, minimised data collection, and more.
• The Code applies to all under-18s, regardless of your intended audience – if children could realistically use your service, you must comply.
• Key steps include: setting high default privacy, clear and accessible information for children, default-off for profiling and geolocation, and robust age assurance when needed.
• Non-compliance can result in ICO investigations, enforcement action, fines, and reputational harm.
• Regularly review your design, privacy policies, and user journey to make sure children’s best interests are prioritised at every step.
• Get professional advice if you’re unsure how to apply the standards to your product or need help updating your legal documents.

Setting up strong privacy protections is a major trust signal for families and young users – and a legal necessity under the UK Children’s Code. Addressing these issues upfront will protect your business and reputation as you grow. If you’d like tailored help with Children’s Code compliance, or want to review your data privacy practices for any online service, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligation chat. We’re here to make complex legal requirements simple for your business.