Skip to content

Code of Practice to protect children’s online privacy

On 21 January 2020, the ICO published its final Age Appropriate Design Code (the "Code"), which sets out 15 standards that online services should meet to protect children's privacy.

What does the Code do?

The Code sets standards for those processing the personal data of children, including if you design, develop or provide, for example, online apps, social media platforms, games, connected toys and educational websites for children. If you are involved in providing online services to children, then you should review the Code to ensure that you comply with it.

What you need to know

You must consider what are in the best interests of a child when you process their personal data and generally, if you seek to deviate from any of the standards, you are likely to have to demonstrate that there was a compelling reason for doing so, taking the best interests of the child into account. Conducting DPIAs should help you identify any specific risks and non-compliance with the Code.

To comply with the accountability principle, you will need to be able to demonstrate your compliance with the Code.

The 15 standards

The Code can be accessed here. The 15 standards are summarised below:

  • The best interests of the child should be a primary consideration when online services are designed and developed which children are likely to access.
  • You are likely to have to undertake DPIAs (data protection impact assessments) to assess and mitigate risks, as the level of risk is increased when a child’s personal data is being processed. Take a risk-based approach to recognising the age of individual users.
  • Provide clear and prominent privacy policies that children of different ages can understand.
  • Don’t use personal data in ways that have been shown to be detrimental to their wellbeing, and take into account industry codes of practice, regulatory provisions and Government advice.
  • Practice what you preach; apply your policies and procedures promptly and effectively (e.g. how you deal with anti-bullying).
  • ‘High privacy’ should be the default setting, unless you need to process personal data to provide your core service.
  • Only collect the minimum personal data that you need. If you need more to access another part of your service, make clear what additional information is required and give the child a choice as to whether or not they use that other part of your service.
  • Data should only be shared when there is a compelling reason to do so and you have undertaken due diligence on the recipient. Safeguarding is almost certainly a compelling reason to share a child’s data; selling it for commercial re-use is less likely to be.
  • Geolocation tracking should be turned off as a default, and a child should be aware when any tracking is active. At the end of a session where a child’s location is visible to others, the tracking should default to being off.
  • If parental controls are offered (such as monitoring or tracking), the child should be given appropriate information about this and should be notified when the parental controls are being used.
  • Profiling should only be permitted if appropriate measures are in place to protect from any harmful effects.
  • Nudging techniques which may encourage a child to provide additional personal data or disable privacy protections should not be used.
  • Appropriate tools should be provided when a connected device is purchased and clear information should be given as to how personal data collected by the device will be used.
  • Tools to assist children in exercising their data protection rights and reporting concerns should be prominent and easy to access. For example, the right to erasure is particularly relevant for children using online services as they may give their consent as a child but may later want that personal data removed, especially when it is on the internet.

Regulating the use of children’s data is a priority for the ICO

The ICO has made use of children’s personal data a regulatory priority and has stated that it will use its full range of measures to monitor conformance with the Code. This can include its audit and investigatory powers, or its regulatory action powers if considered appropriate. If you process personal data relating to children, it is vital that you review the Code as soon as possible and start addressing the Code’s standards. You also need to document what you are doing and how you are doing it.

We can help!

We have a specialist team of data protection and child protection lawyers here at Ward Hadaway and would be happy to discuss any issues that you may have about complying with the Code, the preparation of DPIAs or any other concerns that you may have.

For data protection queries, please contact Phil Tompkins on 0330 137 3415 / phil.tompkins@wardhadaway.com or Chris Bowen on 0330 137 3459 / christopher.bowen@wardhadaway.com and for child protection queries, please contact Jonathan Flower on 0330 137 3206 / jonathan.flower@wardhadaway.com.

Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.

This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.

Follow us on LinkedIn

Keep up to date with all the latest updates and insights from our expert team

Take me there

What we're thinking