What is the UK's New Children's Digital Privacy Code?

New regulations concerning the handling of children’s data online have come into effect in the UK recently, after being proposed in the 2018 Data Protection Act. We explore what the new digital privacy code is and what impact it could have.

What is The Age Appropriate Design Code?

The Age Appropriate Design Code, also known as the ‘Children’s Code’ came into force in September last year, but companies were given 12 months to adapt their services in order to be compliant. That time has now expired and all companies are expected to have full compliance with the code.

The code includes the following regulations, as set out by the Information Commissioner’s Office (ICO):

– Privacy settings should be set to high by default if children are using a website or app.

– ‘Nudge’ techniques that encourage children to provide more personal data than is necessary to use the app/website should be avoided.

– Location settings should be switched off by default.

– Data collection and sharing should be minimised.

– Profiling that can allow children to be served targeted content should be switched off by default.

Why has the code been introduced?

According to the Information Commissioner, Elizabeth Denham, “Personal data often drives the content that our children are exposed to – what they like, what they search for, when they log on and off and even how they are feeling”.

She continued: “In an age when children learn how to use an iPad before they ride a bike, it is right that organisations designing and developing online services do so with the best interests of children in mind. Children’s privacy must not be traded in the chase for profit.”

It comes down to concerns over the regulation of how websites use and share the personal data of children. Those introducing the regulations want to protect the best interests of children at a time when they are easily influenced and susceptible to physical, emotional or financial harm.

What happens if developers don’t follow the code?

The code has been inspired by GDPR and so those who are found to be in breach will be subject to the same penalties. While there is no instant penalty, and website or app developers will be encouraged to reform first of all, there is the potential for an ICO audit. 

During the audit, the company may be required to provide proof that the app or website had been designed in line with the code. Following this, the ICO will “take appropriate action to enforce the underlying data protection standards, subject to applicable law and in line with our Regulatory Action Policy”.

This is one of the first codes of its kind globally, but it is expected that more will be introduced around the world.

Have apps started to make changes already?

There have been recent changes on some of the main apps which show a reform of children’s privacy, which could be a sign that the UK’s code is having an impact globally.

According to the BBC, the following changes have been made:

– YouTube will turn off default auto-play on videos and block ad targeting and personalisation for all children.

– TikTok will stop sending notifications after 21:00 to 13- to 15-year-olds and 22:00 to 16- and 17-year-olds.

– Instagram is preventing adults from messaging children who do not follow them, defaulting all child accounts to private and requiring users to enter their date of birth to log in.

Indeed, The Guardian also reported that Facebook have introduced measures that mean users under 18 are exempted from targeted advertising entirely, receive tighter default sharing settings, and get protection from “potentially suspicious accounts” – adults who have previously been blocked by large numbers of young people on the site.

How will age be verified on these apps?

One of the key questions that this code produces is around age verification. It’s important to have the correct settings for children, but how can apps be sure of the exact age of a user in order to impose these?

If they simply ask them to input their own date of birth, for example, it will be very easy for them to lie and circumvent the privacy code. While most sites only allow users aged 13 or older, younger users have been known to create accounts.

This is something that is still being discussed and it will be interesting to see what is proposed in order to solve this issue!


Many believe that this “children’s code” is a step in the right direction when it comes to digital privacy and protecting our young people. It is likely that we will see similar measures implemented in other countries, especially as some of the major global apps are already making changes in line with the new UK regulations.